Learn From The New York Times Hacking Incident

The world's most well-known news organization found itself on the losing end of a hacking incident, along with other media heavyweights. Having a proactive approach can go far to prevent something similar from happening to you.

How high-stakes is your data?

As The New York Times learned recently, if you do something that ruffles the feathers of someone powerful, your data may be at risk.

The newspaper, which ran an article critical of Chinese Prime Minister Wen Jiabao’s family, suffered a months-long security incident that affected employee passwords, company data, and home computers owned by reporters. Forty-five separate pieces of malware, which were traced to China, were used by the hackers.

“Now that a Chinese attack on The New York Times is international news, any dissident or potential whistleblower in China will be wary of talking to journalists at the paper—or, for that matter, all journalists,” Slate’s Farhad Manjoo recently said.

Even on a small scale, it’s worth keeping in mind what you can do to ease concerns of members and employees.

And The Times wasn’t alone. The Washington Post announced that a similar hacking incident happened at the paper in 2011 and 2012, and The Wall Street Journal announced an incident of its own.

(Disclosure: I worked for the Washington Post Co. during the period of the alleged hacking, though there have been no reports of employee data being compromised in that incident.)

Think it couldn’t happen to your organization? It could. First of all, associations such as the U.S. Chamber of Commerce and the Institute of Electrical and Electronics Engineers (IEEE) have suffered major security incidents in recent years; the Chamber’s was very similar to the one that hit The Times. And, as in the case of Wired journalist Mat Honan, it can happen to an individual, too.

Even in on a small scale, it’s worth keeping in mind what you can do to ease concerns of members and employees. Some ideas:

Be proactive: Often, the best way to handle a security incident is to prevent it from happening in the first place. Update your software—operating systems, antivirus software, PDF viewers, Flash players, Java runtimes, and so on—early and often. But when a breach does occur, have a plan in place so you know what to do next. While only you will know what makes sense for your association’s interests, Microsoft’s TechNet offers a useful set of guidelines to get started.

Solve the problem: Ultimately, you need to find the source of the problem, isolate it, and prevent further damage. If possible, solve the problem internally before bringing it to the public’s attention—although, in cases such as the IEEE’s membership breach last year, you may find your hand forced by a third party.

When necessary and useful, disclose: While not every incident requires public disclosure, larger ones do. Tell members and employees what you know as soon as you can paint a full picture. Offer useful information to members to fully explain what it all means, while being careful not to provide sensitive details that could endanger member data further.

Answer questions: Much as in any crisis involving member or employee data, a focus on customer support can help reassure people who fear that their information was exposed. Coordinate with your public relations department, and be ready to explain what happens next. Ultimately, this is a PR problem as much as a technical one.

If you faced a security crisis like The New York Times did, how would you resolve it and protect your interests?

(photo by Jason Kuffer/Flickr)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!