One aspect of breach response and communication that's fascinated me has been the gravitational field incidents can have. Especially with the major incidents, organizations that weren't involved, or only involved very distantly, forced to respond to the incident.
This came to my mind again with the recent announcement that 880,000 records were accessed and likely stolen from a "legacy platform" of the travel site Orbitz. Orbitz is owned by Expedia and most of the coverage mentions this relationship. Some even attribute statements directly to Expedia, rather than Orbitz. However, the statement makes no mention of Expedia.
As I explored the situation more, I saw the narrative changing almost in real-time. There are key differences between the narrative being put forth by Orbitz in its official statements and the narrative of the media reports. None of the changes are groundbreaking, the facts stay consistent, but it's still worthwhile to look at how they differ. The narrative changed in three ways:
Ownership of the incident: Orbitz > Orbitz, owned by Expedia OR > Expedia responds to incident
Status of remediation: Investigation and remediation potentially ongoing > Orbitz Says Identified And Remediated A Data Security Incident (Reuters)
Semantics: Security incident > breach
Ownership of the incident
This is an interesting case because ownership of the breach isn't settled. When I first read about the incident, I thought the Expedia-Orbitz acquisition was recent and perhaps the breach was discovered by Expedia doing its due-diligence on the new acquisition. It was speculated that the Whole Foods payment card breach in mid-late 2017 was discovered in a similar way during the Amazon acquisition. However, Expedia acquired Orbitz in 2015.
At the time of the breach (likely in late 2017), the relationship between Expedia and Orbitz was well-established so there's a legitimate debate over how much responsibility Expedia has for the breach. There isn't enough publicly-available information to settle that debate and it's interesting to see how journalists and Orbitz are constructing the narrative.
In this situation, it's likely very intentional that Expedia is being left out of official statements. Expedia is trying to stay out of the gravitational field. It doesn't want to be associated with this incident. Journalists, however, are constructing their own narrative. They're giving their readers additional context by reporting on the relationship between the two companies. It was a bit surprising to see statements directly attributed to Expedia, rather than Orbitz though. I'm going to keep track and see whether/to what extent this narrative gains any traction.
Status of remediation
The timeline is also interesting. The "incident" was discovered on March 1 and the announcement was made on March 20. This is neither the best or worst timeline. What interests me is the narrative that by the time of the announcement, Orbitz had identified and remediated the incident. However, that's not exactly the narrative Orbitz put forth in its statement.
"Orbitz immediately began investigating the incident and made every effort to remediate the issue, including taking swift action to eliminate and prevent unauthorized access to the platform"
"As part of the Company’s investigation and remediation work"
This doesn't actually say the incident has been fully remediated (it's ambiguous) but many articles used the past tense, implying that remediation was complete. "The site, now owned by Expedia, confirmed in a statement that it "identified and remediated a data security incident affecting a legacy travel booking platform.'" This is absolutely nit-picking but it's fascinating to see how the narrative of this incident is changing in real time.
The breach versus incident semantic debate isn't a new one. It's standard practice for a company to avoid the word breach. However, this practice is starting to come off as out-of-touch. Everyone else is going to call it a breach anyway. We see that here. Nearly every article uses the term breach to describe the situation, only using "security incident" when quoting Orbitz directly.
With regards to word choice, there were some other choices of note made in the official statement from Orbitz.
"As soon as it was determined that there was likely unauthorized access to certain personal information, Orbitz took swift action to address the issue and protect customers. Importantly, the current Orbitz.com website was not in any way involved in this incident."
"Orbitz’ investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. Additionally, Orbitz can assure U.S. customers that Social Security numbers were not involved in this incident, as these are not collected nor held on the platform."
These choices show attempts to minimize the situation. Orbitz is trying to distance itself from the breach as much as it can. The statement stresses repeatedly (six times) that only certain information was impacted and it was a legacy platform, not the current site. Everyone is trying to escape the blast radius.
Orbitz "regrets any inconvenience caused by this incident" which is not the wording I would have chosen. It again shows an attempt to minimize. This isn't a big deal, just an inconvenience. While that may be the case, that isn't for Orbitz to decide.
Most of the reporting keeps to who, what, when. The number and type of records accessed, at what time. The articles I've read didn't use as many qualifiers (like certain) from the official statement but did specify that it was a legacy platform and the current site wasn't impacted.
At this time, there isn't anything special about the Orbitz incident. 880,000 people are going to get new credit cards, some of them will sign up for the free credit and identity theft monitoring and the world will keep spinning. I was just fascinated to see the narrative of the incident change so specifically from the organization to the media. Perhaps it's because the situation is (apparently) so simple that I was able to focus on these minor changes in narrative instead of getting caught up in a dumpster fire.
I'm going to keep tracking this story. I won't be surprised if there isn't ongoing coverage but we'll see.
Some of the stories I read: