As we close out 2019, we at Security Boulevard wanted to highlight the five most popular articles of the year. Following is the first in our weeklong series of the Best of 2019.
What would you do if you found out through a third party that your organization had been breached and the information was discovered for sale on the dark web?
The correct response is you would verify the authenticity of the third party and then graciously thank them for the notification and then immediately begin investigating the breach. But the correct response isn’t always the actual response.
Cybersecurity intelligence company GroupSense spends a lot of time on the dark web looking at data for sale to see if any of it is from its clients, but when the security pros find stolen data from a non-client company, as a courtesy, they notify that organization. What often happens is … nothing. Most of the time, the breached company will not even respond, perhaps because it doesn’t want to know or acknowledge it has been breached.
If the information breached was customer data, the company’s customers may never realize their PII is available for sale. If it is corporate data or intellectual property, the company risks losing current and future business because of the data that’s been poached and copied. The organization itself loses because, if caught, it could be in violation of data privacy and compliance laws and consumers could decide to take their business elsewhere.
Consumers are already skeptical about data breaches: A study from ShredIt found that two-thirds of Americans don’t trust organizations to tell the truth about data breaches. Employees worry, too, about their PII made available to fraudsters, and many say they would leave their job because of a data breach.
Why Companies Ignore Data Breach Warnings
Why do companies ignore the breach notification from a third party, which is likely an unknown source? Kurtis Minder, CEO of GroupSense, has a few theories. The first is that they think it is bogus or a trick.
“Considering the seriousness of a data breach and the potential impact to brand value, I would expect that they would look into the person offering the notification (Google search, LinkedIn, etc.),” Minder stated. “If this were the case, they would have seen that I am a legitimate and verified member of the cybersecurity community.”
A second possibility is that they get many inbound notifications of this nature and cannot possibly investigate each one. But the third and perhaps most probable reason is that once notified, the organization has to engage in an incident response effort and, depending on data breach notification laws in their area, they’d be bound to notify their customers of the breached data. GDPR—and, in the coming year, CCPA—put data breaches on the clock. Once alerted to a breach, organizations face a strict time limit—just 72 hours for GDPR—to notify those whose PII has been compromised. However, no regulations have set standards for third-party notifications, so companies are under no obligation to listen if a third party tells them they are breached.
Change Is Needed
This ostrich-head-in-the-sand approach may work for now, but in the end, a data breach hurts everyone involved. Unfortunately, most companies won’t take action unless they are legally mandated, which is why Minder thinks modifications to existing legislation or additional legislation would help this problem.
“The breach notification laws which are now enacted in all 50 U.S. states dictate that companies or government entities that are breached must notify the affected parties within a time period after the breach is discovered,” he explained. “These laws fail to outline a requirement for companies to receive notifications of potential breaches. What this does is creates an atmosphere of willful ignorance of the potential issue.”
In some cases, he added, the company would have to have been discovered and outed by a third party or have gone looking for the breach themselves. “Given the deficit in cybersecurity talent, many organizations do not have the resources to run their exiting security programs well enough, let alone go searching for active data loss or pending threats.”
It’s not a perfect solution by any means. By introducing a requirement that organizations should have a formalized method for third-party notification of data leaks would create some challenges for the organizations. These challenges include managing volume, false positives, credibility and hoaxes.
“Ideally,” Minder said, “legislation would address this by creating and funding a standards body for third-party breach notification tasked with managing and mitigating these challenges for the broader enterprise community.”
While you need trust and verify the source reporting the data breach to you, ignoring the warnings are only could to cause more trouble. Better to heed the warning, thank them for the heads up and do some investigating yourself so your customers and your employees can take action if necessary.