Kyle Miller Featured on BBC World Service's Newsday
Kyle Miller was featured on BBC World Service’s Newsday, a global morning news program, on March 29, 2018. He discussed the MyFitnessPal data breach with host Bola Mosuro as both an attorney with a data security background and a user affected by the breach:
Mosuro: Now, if you’re one of over 150 million users of the lifestyle website and app MyFitnessPal, you might want to check your account. That’s because if you haven’t heard, there’s been a security breach. The company, which is run by the parent group UnderArmor, made the announcement yesterday, just four days after users’ data was breached. Kyle Miller is lawyer working in Cyber Security in Louisville in the United States. He’s also a MyFitnessPal member and said how the company broke the news in an email.
Miller: They said in their notification that the information was usernames, email addresses, and hashed passwords, then listed the technical hashing function – how they encrypted passwords. They became aware of it on March 25, which is only a few days ago. The data was not incredibly sensitive, although I’m sure there are many people out there who have reused the same email addresses or passwords. As a matter of practice, we know we shouldn’t reuse passwords but of course many, many people do. And that’s also why it’s important that companies get these breach notifications out as quickly as possible. Maybe it’s not the right bar to measure them by, but we’ve seen in previous data breaches that months or longer go by before we realize that very sensitive information about us has been disclosed wrongfully to third parties.
Mosuro: What else have they said they’re doing? Especially in terms of tracking down who they believe may be the culprits?
Miller: Right, so they have very little information there other than they are working with law enforcement, which is the typical line, but a necessary one when you are working with law enforcement. And in the email they say they are, of course, notifying, urging us to change [our passwords] – they are going to be monitoring, then making enhancements generally. Maybe it’s a thin pronouncement right now as they are still in their investigation stage. As time goes on they might find more information or it would probably be advisable to do a follow up and say “Okay, this is exactly what happened. We know now and these are the changes we’ve made because of that.”
Mosuro: How have the actions of UnderArmor, how have they compared with past breaches?
Miller: First off, there was the notification from the company. So this came straight from MyFitnessPal not rumors, not from news. In particular, I think that the speed in which they’ve notified us – of course you always want to see it faster – but I’ve been notified of a personal breach by Equifax, by Target Corporation, and by actually the U.S. Federal Government. In all of those it was weeks to months of very sensitive data being out before I was told that it was there. Reading through this breach notification, I think that it’s a model. On the face of it, this looks to be a very good notification and I think it’s what users are looking for.
Mosuro: I just wonder what this means in terms of our lifestyles, in terms of how people input data. Could these kinds of breaches actually make people think “You know what, I’m going to kind of withdraw from the online world for a while?”
Miller: I think that there might be a pushback against particularly egregious data use. Of course there is a movement, we’ll see if it becomes overwhelmingly popular or not, against Facebook because of what they were actively doing with the data. It’s hard to say because there is so little power to consumers to choose who has their data and how it is being used. I think it’s something most consumers accept.
Mosuro: And he’s Kyle Miller, a lawyer working in cyber security based in Kentucky in the USA.
BBC World Service is a global news service available to more than 250 million people in 28 languages.