This. This is why we need mandatory data breach notification laws. Right now, we don't have them, and it allows companies like iiNet to get away with crap like this: iiNet's gaming portal, 3FL, was hacked and defaced in June. Now, in October, we find out that hackers scored a list of registered email addresses and has been spamming them ever since. For shame.
Delimiter got hold of an internal email from iiNet's operations centre manager sent in June. The email is addressed to the iiNet executive team and confirms the attack on the 3FL site.
iiNet reportedly took the site down after a defacement before investigating and subsequently confirming that a breach had occurred. iiNet staff were advised that no public communications were to take place surrounding the attack. There's your first mistake, iiNet.
The second mistake came on the Whirlpool forums where — despite posts to the contrary — an iiNet rep said that despite a decent amount of investigation, the company couldn't find any breach, and all the while, 3FL members were getting spammed by the attackers.
iiNet's chief technology officer John Lindsay called the farce to a close this week after finally admitting that the breach had in fact taken place.
Head on over to Delimiter for Lindsay's full statement on how it all went down. Needless to say, iiNet has handled this really badly. Poor form, iiNet. [Delimiter]