Was the response enough?

Do you remember last July? Ah, July. Seems so long ago. Convention season was in boom, anime like ReLife and Orange had just started airing, and accounts on FUNimation.com were compromised.

Wait, what?

The Incident

Yes, as reported by Anime News Network, two sites that check for data breaches listed FUNimation.com as having been, in more common terms, hacked. As the site Have I been pwned? revealed:

“In July 2016, the anime site Funimation suffered a data breach that impacted 2.5 million accounts. The data contained usernames, email addresses, dates of birth and salted SHA1 hashes of passwords.

Compromised data: Dates of birth, Email addresses, Passwords, Usernames”

While some people on ANN’s forums say they’ve known about this for months, I know my first reaction was the aforementioned, “Wait, what?!” I know I’m often behind the times, but I know I’m not the only one who had not heard the news. Most articles on this are only a few days old and not months old. Sure, there’s this Reddit thread from December, but a) I’m not a big Redditor and b)  r/funimation is not one of the boards I’d regularly visit. (Apologies to all the Redditors there.) In addition, the person who posted the thread only learned about it through data leak checkers, not FUNimation themselves.

FUNimation’s full statement:

“Safeguarding the privacy and security of our customers’ information is a top priority.

In August 2016 we learned that our web application forum software was the subject of a sophisticated intrusion. Upon learning of the issue, our incident response team promptly launched an investigation and has been working very closely with one of the nation’s leading cybersecurity firms that regularly investigates and analyzes these types of incidents. Following our complex forensic investigation, which was recently concluded, we devoted considerable time and effort to determine what information contained within the forums database may have been compromised.

Funimation has sent written notification to those customers whose names, e-mail addresses, and dates of birth may have been accessed, as required by state notice laws. Passwords were encrypted and not viewable as a result of this incident.

We are taking proactive steps to strengthen our IT systems moving forward to prevent similar issues in the future. We immediately turned off the forums web application and have since changed all administrator passwords, relaunched an updated version of the site with additional security, increased the complexity of the passwords required for user accounts and upgraded the Forums Platform.”

A Response to FUNimation’s Response

Let’s talk about the two big parts that jump out. First, take a look at your calendar. I don’t know about you, but mine says 2017. FUNimation says they found out in mid 2016. So why is this just making news now? Why are they only publicly responding six months after this breach happened?

Which brings me into the “written notification” part. I wouldn’t expect this to be plastered all over the Internet like the Target and Yahoo! breaches, but I don’t think sending emails just to users is enough. (Again, if you take a look around various forums, many users say they were never notified.) Even if that’s all that is legally necessarily, just emailing is not enough from a moral or public relations perspective. Emails get lost, end up in the spam folder, or may be accidentally deleted by the user. There’s not much a person can do after the fact their email address is exposed, but people should still be notified just in case the leak was worse than expected or if the users start receiving some suspicious emails.

Sure, no company wants to announce the names, ages, etc. of their visitors could now be used to sign up for other sites, sold for profit, or even used to make purchases. Such information erodes customer trust and can have a large impact on profits. But waiting six months to make an official announcement — and only releasing a statement after the story really broke — reflects poorly on FUNimation. I don’t blame them for the hack; I blame them for not immediately putting out a statement to warn their users.

And Now, More Hacks

Now, with the issue of the so-called “Cloudbleed” leak, it’s more important than ever for websites to disclose the possibility of accounts being compromised. Hacking may lose a company some support, but that’s nothing compared to the amount of business lost by downplaying or ignoring a breach. I hope other companies do more to inform customers — whether the news be good or bad — than FUNimation did. So far, at least many companies that could have been involved in Cloudbleed (Anime News Network, Crunchyroll, NISA, and more) have made a statement.

When did you find out about FUNimation.com being compromised, and when? Do you think FUNimation did enough to inform their users?