The Difficulty of Disclosure, Surebet247 and the Streisand Effect
SureBet247, a popular sport betting company based in Nigeria was victim of an incident related to the data protection of its users that would have put thousands of records stored by the company at risk. An anonymous user discovered the information exposed on the public Internet, who reported the find to Troy Hunt, a security researcher and founder of the Have I Been Pwned platform. After attempting to contact SureBet247 without success, the researcher decided to share the find with the cybersecurity community.
This incident has been particularly frustrating for both Hunt and the anonymous informant, who have repeatedly tried to contact the company; on the other hand, SureBet247 has not commented on the incident in any way, so investigators ignore whether the company was even aware of this serious breach of the data protection of its users. Based on Hunt’s reporting, the International Institute of Cyber Security (IICS) finds it unlikely that the company will implement an appropriate security incident management process or even notify all potentially exposed users. Given the company’s irresponsibility, customers are advised to reset their access passwords to the SureBet247 platform, in addition to monitoring their bank accounts for any suspicious activity.
"This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regulatory provisions designed to prevent precisely the sort of behaviour I'm going to describe in this post. Here you're going to see - blow by blow - just how hard it is for those of us with the best of intentions to deal with organisations who have a very different set of priorities. This is a post about how hard disclosure remains and how Surebet247's behaviour now has them experiencing the full blown Streisand effect."