Time Warner Cable claims they were notified by the FBI that some emails and passwords "may have been compromised." It isn't clear at this point how the FBI was alerted to this or how many customers the FBI is able to confirm were compromised.
Who is to blame?
TWC claimed that it wasn't them, stating
Our understanding is that the compromise had nothing to do with TWC's systems or processesWell bravo there TWC. But how could TWC possibly know this so quickly? Probably due to their impeccable incident response skills.
TWC has found no evidence of a breach in its systems that operate and secure email accounts for our customers.Any time such claims are made so hastily, consumers have the right to be skeptical. While I have no doubt that the statement is honest, it is like saying that by examining the skin on my arm, I have found no evidence of liver cancer. It's an honest statement, but suffers from a criminally incomplete analysis. But PR firms know this and will decline to offer additional information that might spook customers until there is ironclad proof that they were at fault.
Should I reset my password?
If you have to ask, you probably haven't been reading this blog long. Of course you should.
What lessons should we be taking away?
First, TWC needs a better PR team. While this hasn't been entirely FUBAR'd, it definitely could have been handled better. Customers are being informed of the breach via email and snail mail. But headlines have already broken out and they have lost the ability to control the narrative.
Second, TWC can do a better job disclosing specifics around why they believe the breach had nothing to do with their internal processes. There has been some spin about the possibility of phishing. While that is certainly possible, it doesn't seem likely with 320,000 accounts impacted. If TWC failed to notice 320,000+ phishing messages delivered to their customers then wow did they ever fail.
Finally, examine the processes with which you entrust customer data (and what types of data you entrust) to your third party partners. When conducting security reviews with Rendition Infosec, this is an area where we find policies are often insufficient. If you have third party partners who have access to (or create copies of) customer data, this incident is a great excuse to review those policies and procedures to ensure that they will insulate you in the event a third party is breached. Remember, they are your customers and are unlikely to care whether you lost the data or one of your partners did. If indeed this is a third party breach, why did the third party have access to passwords in the first place? Why did anybody?
Update: Twitter user Marc Pretico informed me of something I should have already known. "Time Warner" (not breached) and "Time Warner Cable" (disclosed breach) are not the same company, yet I was using the two interchangeably. Post was updated to address this discrepancy. Thanks for the correction.