Incident: Kickstarter Data Breach Compromising User Information.

Published Date: 2014-02-16

Postmortem Analysis
Timeline 1. The software failure incident on Kickstarter happened when the site was hacked, as reported in Article [24492]. 2. The incident was reported on February 16, 2014, in Article [24492]. 3. Therefore, the software failure incident on Kickstarter occurred in February 2014.
System 1. Kickstarter's security system [24492]
Responsible Organization 1. Hackers [24492]
Impacted Organization 1. Users of Kickstarter [24492]
Software Causes 1. Unauthorized access by hackers to customer data, leading to compromise of usernames, passwords, mailing addresses, e-mail addresses, and phone numbers [24492]
Non-software Causes 1. Unauthorized access by hackers to Kickstarter's data [24492] 2. Compromise of usernames, passwords, mailing addresses, e-mail addresses, and phone numbers [24492] 3. Lack of evidence of unauthorized activity on most Kickstarter user accounts [24492] 4. Law enforcement notifying Kickstarter of the breach [24492]
Impacts 1. Usernames, passwords, mailing addresses, e-mail addresses, and phone numbers were compromised by hackers on Kickstarter [24492]. 2. No credit card information was stolen in the breach [24492]. 3. Kickstarter urged users to change their passwords [24492]. 4. The incident caused frustration and upset among the community [24492]. 5. Law enforcement notified Kickstarter of the breach [24492]. 6. The security breach led to unauthorized access to some customer data [24492]. 7. There was no evidence of unauthorized activity on all but two Kickstarter user accounts [24492].
Preventions 1. Implementing stronger password security measures such as requiring users to create complex passwords or enabling two-factor authentication could have prevented the unauthorized access to user data [24492]. 2. Regular security audits and penetration testing to identify and address vulnerabilities in the system could have helped in detecting and preventing the hack [24492]. 3. Educating users on best practices for online security, such as not reusing passwords across multiple accounts, could have reduced the impact of the breach [24492].
Fixes 1. Implementing stronger security measures to prevent unauthorized access to user data [24492] 2. Conducting a thorough security audit to identify vulnerabilities and address them promptly [24492] 3. Enhancing password security protocols, such as requiring stronger passwords or implementing two-factor authentication [24492]
References 1. Kickstarter CEO Yancey Strickler's blog post [24492] 2. Kickstarter news release [24492] 3. Law enforcement [24492]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident of a hack compromising user data has happened again at Kickstarter. This incident involved unauthorized access to user data, including usernames, passwords, mailing addresses, email addresses, and phone numbers. However, no credit card information was stolen in this breach. Kickstarter CEO Yancey Strickler urged users to change their passwords and emphasized the importance of creating new passwords for their accounts. This incident showcases a breach in data security within the same organization [24492]. (b) There is no specific mention in the provided article about a similar software failure incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be attributed to the hackers gaining unauthorized access to user data on Kickstarter. This breach occurred due to vulnerabilities in the system's design or development, allowing the hackers to compromise usernames, passwords, mailing addresses, email addresses, and phone numbers of users [24492]. (b) The software failure incident related to the operation phase can be seen in the misuse of the system by the hackers who gained unauthorized access to some customer data. This unauthorized access was a result of operational weaknesses that allowed the breach to occur, leading to the compromise of user information [24492].
Boundary (Internal/External) within_system (a) The software failure incident related to the Kickstarter hack can be categorized as within_system. The breach occurred due to hackers gaining unauthorized access to some of the customers' data stored within Kickstarter's system. Kickstarter CEO mentioned that usernames, passwords, mailing addresses, e-mail addresses, and phone numbers were compromised, indicating that the breach originated from within the system [24492].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident on Kickstarter was due to non-human actions, specifically a hack by unauthorized individuals. The hackers gained unauthorized access to user data, compromising usernames, passwords, mailing addresses, email addresses, and phone numbers. However, it was highlighted that no credit card information was stolen in the breach [24492]. (b) Human actions were involved in the response to the incident. Kickstarter CEO Yancey Strickler urged users to change their passwords and recommended creating new passwords for their accounts. The CEO expressed regret over the incident and emphasized the importance of security measures for the community. Additionally, law enforcement notified Kickstarter of the breach, leading to the immediate closure of the security breach by the site [24492].
Dimension (Hardware/Software) software (a) The software failure incident reported in the article on Kickstarter being hacked does not indicate any contributing factors originating in hardware. The incident was primarily due to hackers gaining unauthorized access to user data, leading to the compromise of usernames, passwords, mailing addresses, email addresses, and phone numbers. The breach did not involve any theft of credit card information, indicating that the failure was not attributed to hardware issues [24492]. (b) The software failure incident on Kickstarter was primarily due to contributing factors originating in software. The breach occurred as hackers gained unauthorized access to user data, compromising sensitive information such as usernames, passwords, mailing addresses, email addresses, and phone numbers. The incident highlights a software vulnerability that allowed the unauthorized access, leading to the need for users to change their passwords and enhance security measures [24492].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the Kickstarter hack was malicious. Hackers gained unauthorized access to user data, compromising usernames, passwords, mailing addresses, email addresses, and phone numbers. The incident was described as a hack where unauthorized individuals breached the system with the intent to access and potentially misuse sensitive user information. Kickstarter CEO Yancey Strickler emphasized the need for users to change their passwords and acknowledged the frustration and upset caused by the breach [24492].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident on Kickstarter was due to poor decisions made by the hackers who gained unauthorized access to user data. This breach resulted in usernames, passwords, mailing addresses, e-mail addresses, and phone numbers being compromised [24492].
Capability (Incompetence/Accidental) accidental (a) The software failure incident related to development incompetence is not explicitly mentioned in the provided article. (b) The software failure incident related to accidental factors is evident in the article as it mentions that Kickstarter was hacked, leading to unauthorized access to user data. This breach was not intentional on the part of Kickstarter but was caused by external hackers gaining unauthorized access to user information [24492].
Duration temporary The software failure incident reported in Article 24492 was temporary. The incident involved a hack where usernames, passwords, mailing addresses, email addresses, and phone numbers were compromised by hackers. However, no credit card information was stolen. Kickstarter CEO urged users to change their passwords and mentioned that there was no evidence of unauthorized activity on all but two user accounts. The breach was identified by law enforcement, and Kickstarter immediately closed the security breach upon notification [24492].
Behaviour crash, other (a) crash: The software failure incident in the article can be categorized as a crash. The system lost state and did not perform its intended functions due to unauthorized access by hackers, leading to the compromise of user data on Kickstarter [24492]. (b) omission: There is no indication in the article that the software failure incident was due to the system omitting to perform its intended functions at an instance(s). (c) timing: The software failure incident was not related to the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident was not due to the system performing its intended functions incorrectly. (e) byzantine: The software failure incident was not characterized by the system behaving erroneously with inconsistent responses and interactions. (f) other: The software failure incident can be categorized as a security breach resulting from unauthorized access by hackers, compromising user data on Kickstarter.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Kickstarter resulted in usernames, passwords, mailing addresses, e-mail addresses, and phone numbers being compromised by hackers. While no credit card information was stolen, the breach did impact personal data of the users [24492].
Domain information (a) The failed system in the incident was related to the information industry as it involved a popular crowd-funding site, Kickstarter, where users post their ideas and raise money for them by garnering donations from other users [24492].

Sources

Back to List