Are security breaches really bad PR?

20 Jun 2011

There's a general belief in the security industry that being hacked is bad for business: it makes your firm look careless and will cost you customers.

I've always wondered if that's true. Will Sony lose gamers' hearts because it lost their password details? Will Citi Group, Sega, or any other recent target go out of business over a hack? Or is the PR fallout from a breach not actually as bad as the security industry says?

One website stands accused of purposefully testing that theory. Beautiful People is a dating website that -- as the name suggests -- only lets beautiful people join (although I've always wondered why attractive people need dating help from an algorithm?). The site filters out the "ugly" people -- that would be us normal people -- via a Hot or Not style voting system.

Today, Beautiful People announced it had been hit by a virus, which it dubbed the "Shrek Virus", that had allowed ugly/normal people to slip though the vanity filter; it has booted those 30,000 would-be daters, refunding those who had paid to sign up.

It's a fantastic piece of chicanery, of course, designed to boost awareness of the dating website

"It was initially thought to be one of the 5.5 million rejects, but further investigations point to a former employee who placed the virus before leaving the team in May," the press release says, actually referring to would-be customers as "rejects". "Despite wreaking havoc with the application process, member privacy and security was never breached."

And that's all rather convenient, notes Sophos security researcher Graham Cluley.  "It's a fantastic piece of chicanery, of course, designed to boost awareness of the dating website, get them many thousands of pounds of free publicity with little risk of damage to their reputation," he says in a blog post.

"So, lots of publicity for the website but nothing for current or future members to worry about then. How convenient!" he adds, noting the site's PR firm has previously used somewhat similar tactics. (Of course, as The Register points out, Cluley's job is to get press coverage for Sophos, so "we're in danger of being sucked into a conspiracy feedback loop". And to pre-empt the inevitable comments: I realise I've fallen for it and have handed coverage to both.)

Real hack?

Beautiful People's PR assures us the hack is real, but as the investigation is ongoing, not many details are available. Perhaps more worryingly than a maybe/maybe not hack is that the site's spokeswoman sent me photos of some of the so-called "rejects" for publication (I'm not that mean).

Asked whether that might be a privacy issue, she assured me the applicants had signed away the rights to their photos, and the site could use them as they saw fit. Yes: if you apply for Beautiful People, they might use you as an example of a reject -- now that truly is ugly.

We'd like to find anyone rejected by the site during this virus-induced purge, just to prove it actually happened. We promise not to laugh at your failure to join the ranks of the Beautiful People; one look at our column mugshots should confirm that looks have never been that important to PC Pro.

Read more about: