CyberSecurity Done Right

I received an email. It came from TaskRabbit, a company about whom I don’t know much. I used them to get moving help when my containers were delivered and had a really strongly positive impression. Also, they had some heavy-handed product placement in Unbreakable – Kimmy Schmidt, which still was endearing.

While I know little about the company, I know something about their handling of a cybersecurity incident. Here is what they had to say:

Dear Marco,

TaskRabbit is currently investigating a cybersecurity incident. We understand how important your personal information is and are working with an outside cybersecurity firm and law enforcement to determine the specifics. In the meantime the app and the website are offline while our team works on this.

We will be back in contact with you with more information once we have it. As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now.

If you have any questions in the meantime, please reply to this email.

Thank you for your patience while we investigate the issue and for being such an important part of our community.

TaskRabbit Team

Now, the reason I feel comfortable quoting the message is that I can only applaud it. If the content is accurate, TaskRabbit is taking this seriously, is proactive with information, and says it is doing the right things.

Compare that to another company that knew it has lost the information of half the population of the United States of America and didn’t say anything for an extended period of time, while it was “investigating.” Or the other company with which I used to do business, who lost my credit card information (including the CCV it is not supposed to store), leading to a series of charges to the tune of $10,000 on Bing Search and a heavy downgrade in credit rating.

I don’t know. How can we continue pretending that identity theft is a problem for the individual and not for the companies that leaked that information? How can the customer be responsible for fraudulent charges when the gas station didn’t do anything about the skimmer on their premises? Why do we accept that a company hiding a massive data breach can get away claiming oopsies while thousands or even millions of their customers have to worry every day about getting ripped off?