About a year after 57 million records were breached at Uber, the company issued a breach notification press release. The CEO made no excuses for the lateness of the notice and to be fair, he was not involved in the handling of the whole thing since he was hired after the event. The notification also … Continue reading
Category Archives: Breach announcements
This section looks at how data breaches are announced– call it media/public relations criticism. How much is news, how much is the organization trying to get the word out to the public. Increasingly, there is a story in the story: how much does the press “run” with the story.
A recent REALLY BIG breach: reporting relationships and college degrees
We are somehow hearing about what the Equifax CISO studied in college and not about when the firm’s last pen test was. We are hearing about how heads rolled at Equifax but not if the reporting relationship between IT and Security has been revised. Since the interim CISO seems to be reporting to the interim … Continue reading
When is a breach notification not a breach notification (part three)?
When it is presidential primary news. When the “family feud” is more newsworthy than the data. When there are no less than four parties involved who one can identify as data custodians of one kind or another. In a single sentence, the incident can be described as follows (the four data custodians are numbered in … Continue reading
The hack that maybe wasn’t: Ashley Madison
In the world of on-line romance and breach notifications, the Ashley Madison hack is unique. Usually, on-line romance crimes involve fraud. Law enforcement officials report that on-line romance fraud is under-reported because the victims are too embarrassed to admit they were duped. They do not want to go through the humiliation of having a detective … Continue reading
EVERYONE’S WHITEPAPER…ever. A how-to.
Sample (analysis follows): The cyber security threat landscape is awash in an ever changing fabric of “slings and arrows”. It’s not just a matter of “if” script kiddies will attack the enterprise but “when” nation states. And big, big breaches. Before the 20th century, there are only two recorded Denial of Service attacks: the burning … Continue reading
Hooked on hacks
To distort a phrase from media criticism: if it HEARTBLEEDS, it leads. I have no proof of this, but I am guessing that the number of journalists that now have experience writing about cybersecurity events has increased dramatically in the past year. Big breaches have always been news, but with a cluster of them occurring … Continue reading
When is a breach notification not a breach notification (revisited)?
When it’s a customer service announcement. At least that’s what one in-flight internet on demand service provider claimed. So, the first thing to understand is that there is no reason to believe that customer information was actually compromised. On the other hand, as Bruce Schneier points out in Liars and Outliers, society runs on trust … Continue reading
The 4th e-state of denial
Corporate web sites getting hacked is news. Corporate news sites getting hacked is news. News sites getting not hacked but going down anyway is…? When NYTIMES.com went down this week for a couple of hours, they felt they needed to provide the proper context for their downtime. The headline of the article they published read … Continue reading
When is a breach notification not a breach notification?
In Memoriam Barnaby Jack.(1) When it’s an indictment, a settlement or an ethical hack. It is interesting to note the difference between a breach notification press release (these are required by law, for example, for breaches of health care data affecting over 500 individuals) and the subsequent coverage and reports of indictments, settlements and ethical … Continue reading
Honest, Mom, lots of kids failed that test
The media are certainly becoming more sophisticated at reporting on data breaches and web site hacks. And as that happens, corporate communications departments are freer to craft ever more sophisticated messages about a breach/hack involving their organization. The new goal is to attempt to describe the organization as just the latest victim of an on-going attack … Continue reading
{Cyber Security} 