How to report on a data breach

An open padlock on a circuit board | Photo: Adobe Stock

What do Target, MySpace, Equifax, LinkedIn, eBay, JP Morgan Chase, Yahoo, Sony, and many other prominent—and less prominent—companies have in common? They all have been hacked. Taken together, these hacks exposed billions of records, some of which are extremely personal and sensitive, about millions of their users and customers. 

You may have heard of those data breaches because you were hit by them, or because of the sheer scale of damage. The Equifax breach affected more than one in two Americans, Yahoo lost the personal data of 3 billion users in two separate, devastating breaches, and the hackers behind the Target breach looted 110 million credit card numbers. At press time, Have I Been Pwned, a data-breach archival site, had documented more than 8.5 billion hacked accounts. If you are reading this, then you have probably been pwned at least once.

Given that we’re digitizing information at increasing, seemingly unstoppable speeds, and that we seem hellbent on putting everything on the internet, it’s a safe bet that such hacks won’t stop. That’s why it’s important for journalists at all publications and on all beats—not just tech reporters—to understand how to write about data breaches. 

ICYMI: An MSNBC anchor takes a risk

I’ve written about most of the hacks mentioned above (and many others not mentioned) during my seven years as a tech journalist. At Motherboard, VICE’s online tech-and-science magazine, where I work, we’ve written about so many of these, we publish an occasional series called “Another Day, Another Hack.” 

You don’t need to be versed in the jargon-heavy world of cybersecurity to write a data-breach story. (These are straightforward news pieces: there’s a what, when, where, how, and—sometimes—a who. Trust your good ol’ inverted pyramid and you’ll be fine.) But data-breach news stories pose unique challenges to the reporting, fact-checking, and writing processes. 

Sign up for CJR's daily email

 

Reporting

First of all, you must understand how a story might reach you. Sometimes, the authors of the hack will approach you directly to alert you of the breach. As ever, be skeptical: hackers tend to crave attention and fame, and they love being in the news, which leads them to oversell and exaggerate what they did or how much data they obtained. In any case, you have to verify that what they’re saying is true. Luckily, there are several ways to do that without the help of the hacked company (which my colleague Joseph Cox explains in greater detail here). 

The easiest method is to contact the company or service that was allegedly broken into and ask them to confirm. More often than not, they won’t. And if they won’t, it’s time to do some more reporting!

A second obvious way to verify a breach is to contact those people that were affected. If you have access to the hacked data, look for phone numbers or emails. (If you don’t have all the data, at least get a sample from the hackers.) Contact as many people as you can, and ask them whether the data you have about them is accurate. If a dozen people confirm, then, in my experience, it’s fair to say the breach is real. Victims won’t be eager to trust and talk to a stranger who may be sending them their own passwords, so this kind of reporting is delicate and labor-intensive. To get a dozen people to confirm, you’ll likely have to reach out to more than 100. Obviously, try to get them to speak to you on the record, too. There’s nothing like an angry victim’s quote to show the impact of an abstract-seeming crime. 

READ: The fascist next door—how to cover hate

Remember people’s feelings. Empathize with the victims when writing the story; don’t trivialize the hack. It may have exposed incredibly sensitive data and put your prospective sources in an uncomfortable or even dangerous position. Do not—under any circumstances—say anything that an already embarrassed person could read as blame or mockery, and do not expose them to more potential harm—for example, by exposing their names or identifying information in the piece. They have already been hacked because a company they trusted failed to do its job. 

 

Fact-checking

If data from the alleged breach contains both usernames or email addresses and passwords, you might be tempted to test them and log in with them. Do not do this. This is both a crime and an invasion of privacy. A more responsible way reporters have used hacked data is to try signing up for the hacked site with an alleged user’s email address. If the site returns an error saying the address is already registered, this is a good indication that the data is legitimate.

Sometimes hackers collect and mix up already public or previously exposed data and claim it’s new, perhaps because they’re trying to sell it on the black market. Searching for some unique strings, names, or email addresses should clear up whether the data has been exposed previously. Have I Been Pwned is a useful resource for this work, and was created by a reputable security researcher. Entering an email address allegedly exposed by a breach into its search bar can indicate to you whether the address is, instead, simply part of another dataset easily available to hackers on the black market. Breached data loses its monetary value very quickly after the breach is reported, so impressive-looking collections of email addresses and passwords are not hard for hackers to acquire. 

Just as logging in with stolen credentials is a crime, asking the hacker to do more hacking to help you verify their claims could be seen by law enforcement officials as conspiracy, making you an accomplice. You should still chat with and interview the hacker to get as much information you can, especially anything that may help you confirm your reporting. But stick to asking for things the hackers already have. 

 

Writing

Now that you have fact-checked the breach, it’s time to write. If you can, give potential victims some advice—your most dedicated readership for this story will be people who were personally affected by the hack. Were their passwords exposed? Remind them to change them, and remind them they should change other passwords in case they were using a single login across multiple sites—something that’s still common, unfortunately. Suggest they use a password manager such as 1Password, Lastpass, Google’s own password manager included in Chrome.

ICYMI: Terrorism bred online requires anticipatory, not reactionary coverage

There’s a fine line between giving your readers advice and scaring them. Don’t alarm people with unsubstantiated claims or exaggerated risks. Just because the hacked data may include stuff such as home addresses doesn’t mean criminals will show up at their doorsteps. Stick to facts, and talk to an expert if you’re not sure what advice to give. 

Finally, consider a rare, but important, possibility: If the data breach is ongoing, and the company responsible for it has not taken the exposed data off the internet, you may have to obfuscate details of the breach to protect the victims. This is precisely what Motherboard did earlier this year, after a researcher found 95,000 private pictures and 25,000 recordings taken with consumer spyware—unbeknownst to the victims—on a server on the internet, available for all to see. In our coverage, we decided not to name the company behind the breach until after it was taken down; to do so any earlier would have risked exposing the data itself to the public. 

That should be all you need the next time someone loses millions of passwords—which will probably be soon. 

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Lorenzo Franceschi-Bicchierai is a senior staff writer at VICE Motherboard, where he covers hacking, surveillance, and privacy. Before VICE, he worked at Mashable, and at Wired's Danger Room. He graduated in 2012 from Columbia Journalism School.