Eisners 2020 Post 2
I think this may be my last comment on the Eisner voting site breach fiasco but no promises.
This is the entirety of the CCI communications on this matter that I was able to find:
As a result of our investigation into the recently reported issues with the Eisner voting website, it appears this was not a malicious attempt but an error in the platform itself,” Glanzer told Newsarama. “While our examination of the records leads us to believe the problem is small and we have no direct evidence that any votes have been altered, out of an abundance of caution and care we have decided to re-run the vote with a current and secure voting platform.
That, by the bye, from David Glanzer, the chief communications and strategy officer of Comic Con International, aka the guy who wouldn’t answer my questions. Now I want you to contrast that with an email I received yesterday:
Let’s note the elements of what an actual breach disclosure communications look like:
- The organization contacts anybody potentially affected:
We’re reaching out to let you know that the ACLU was notified of a security breach at one of our vendors, Blackbaud.
- Details of what happened and who was involved:
Blackbaud, which works with many nonprofits to support their fundraising and engagement efforts, was the target of a ransomware attack. As a result, the hackers obtained some personally identifying information about Blackbaud’s nonprofit clients’ donors and prospective donors, including those of the ACLU. Please note that no credit card or bank account information was compromised in this breach. A full description of the incident is available here. (note: this link will take you to a third party website, blackbaud.com)
- Source of failure, current efforts, future direction:
Blackbaud believes they have successfully retrieved the stolen data, but we cannot be completely certain this is the case. The ACLU’s contractual agreements have always required Blackbaud to keep our constituent information confidential and to have security procedures in place to minimize breaches.
In all candor, we are frustrated with the lack of information we’ve received from Blackbaud about this incident thus far. The ACLU is doing everything in our power to ascertain the full nature of the breach, and we are actively investigating the nature of the data that was involved, details of the incident, and Blackbaud’s remediation plans.
We are also exploring all options to ensure this does not happen again, including revisiting our relationship with Blackbaud.
- What you can do:
If you have questions, please contact us at 1-888-567-ACLU (2258).
Please note that the failure on Blackbaud’s part was less than what’s been said to be compromised in the Eisners breach: although names and contact information were apparently up for grabs, there’s no indication that anything was changed as at the Eisner site.
Please also note that Glanzer’s statement was about the vote, and didn’t acknowledge the loss of control over the information about the voters. He doesn’t seem to understand that the vote is not more important than the voters.
The vote is not more important than the voters.
To repeat again, the response from CCI has been wholly insufficient, and is likely in violation of California state law, EU law, and maybe that of other jurisdictions. I’m not competent to assess their legal liability, which is why it is critical that CCI get some godsdamned guidance from qualified Incident Response experts. Anybody that voted at the breached site should be demanding CCI get off their collective ass and treat this seriously.
The above comments are owned by whoever posted them. The staff of Fleen are not responsible for them in any way.