Awhile back, I blogged about how not to handle notification of a possible breach. In that case, I began to receive spam to a very unique address only used at one place. When I attempted to report the potential breach, I was at first stonewalled, and then “cautioned” against publicly discussing the issue.
Unfortunately, the stakes have risen from spam to outright malicious e-mails and this time the suspected company is Payscale.com. When I received a malicious PDF to a very unique address only used for that site, I wanted to let them know about a possible breach. So I sent an e-mail to every one of the contacts I could find on their web site. I wanted to make sure someone knew about this.
After over a week with no response from anyone, I received another e-mail, this time a malicious link posing as an Adobe Flash Player update. Still no response.
I think the right thing to do is to publicly discuss the issue. I think that when a company doesn’t respond to concerns such as this, and the public entrusts their data to them, it is ethical and right to publicly discuss the issue so people can make an informed choice about doing business with that company.
I can’t say that Payscale.com has been breached because I don’t know. What I can say is that the source of these malicious e-mails seems to have a strong connection to this company, and that they did not respond to a possible breach notification. Consumer beware.
Update: I am happy to report that, as a result of this post, I was contacted by someone at Payscale.com. My contact does seem genuinely concerned with looking into the issue. Again, this may or may not be anything, but the point of the post seems to have succeeded–getting someone to acknowledge that a security issue may exist.