[BreachExchange] Companies Ignoring Third-Party Breach Alerts

Destry Winant destry at riskbasedsecurity.com
Tue Dec 17 09:21:35 EST 2019


What would you do if you found out through a third party that your
organization had been breached and the information was discovered for
sale on the dark web?

The correct response is you would verify the authenticity of the third
party and then graciously thank them for the notification and then
immediately begin investigating the breach. But the correct response
isn’t always the actual response.

Cybersecurity intelligence company GroupSense spends a lot of time on
the dark web looking at data for sale to see if any of it is from its
clients, but when the security pros find stolen data from a non-client
company, as a courtesy, they notify that organization. What often
happens is … nothing. Most of the time, the breached company will not
even respond, perhaps because it doesn’t want to know or acknowledge
it has been breached.

If the information breached was customer data, the company’s customers
may never realize their PII is available for sale. If it is corporate
data or intellectual property, the company risks losing current and
future business because of the data that’s been poached and copied.
The organization itself loses because, if caught, it could be in
violation of data privacy and compliance laws and consumers could
decide to take their business elsewhere.

Consumers are already skeptical about data breaches: A study from
ShredIt found that two-thirds of Americans don’t trust organizations
to tell the truth about data breaches. Employees worry, too, about
their PII made available to fraudsters, and many say they would leave
their job because of a data breach.

Why Companies Ignore Data Breach Warnings

Why do companies ignore the breach notification from a third party,
which is likely an unknown source? Kurtis Minder, CEO of GroupSense,
has a few theories. The first is that they think it is bogus or a

“Considering the seriousness of a data breach and the potential impact
to brand value, I would expect that they would look into the person
offering the notification (Google search, LinkedIn, etc.),” Minder
stated. “If this were the case, they would have seen that I am a
legitimate and verified member of the cybersecurity community.”

A second possibility is that they get many inbound notifications of
this nature and cannot possibly investigate each one. But the third
and perhaps most probable reason is that once notified, the
organization has to engage in an incident response effort and,
depending on data breach notification laws in their area, they’d be
bound to notify their customers of the breached data. GDPR—and, in the
coming year, CCPA—put data breaches on the clock. Once alerted to a
breach, organizations face a strict time limit—just 72 hours for
GDPR—to notify those whose PII has been compromised. However, no
regulations have set standards for third-party notifications, so
companies are under no obligation to listen if a third party tells
them they are breached.

Change Is Needed

This ostrich-head-in-the-sand approach may work for now, but in the
end, a data breach hurts everyone involved. Unfortunately, most
companies won’t take action unless they are legally mandated, which is
why Minder thinks modifications to existing legislation or additional
legislation would help this problem.

“The breach notification laws which are now enacted in all 50 U.S.
states dictate that companies or government entities that are breached
must notify the affected parties within a time period after the breach
is discovered,” he explained. “These laws fail to outline a
requirement for companies to receive notifications of potential
breaches. What this does is creates an atmosphere of willful ignorance
of the potential issue.”

In some cases, he added, the company would have to have been
discovered and outed by a third party or have gone looking for the
breach themselves. “Given the deficit in cybersecurity talent, many
organizations do not have the resources to run their exiting security
programs well enough, let alone go searching for active data loss or
pending threats.”

It’s not a perfect solution by any means. By introducing a requirement
that organizations should have a formalized method for third-party
notification of data leaks would create some challenges for the
organizations. These challenges include managing volume, false
positives, credibility and hoaxes.

“Ideally,” Minder said, “legislation would address this by creating
and funding a standards body for third-party breach notification
tasked with managing and mitigating these challenges for the broader
enterprise community.”

While you need trust and verify the source reporting the data breach
to you, ignoring the warnings are only could to cause more trouble.
Better to heed the warning, thank them for the heads up and do some
investigating yourself so your customers and your employees can take
action if necessary.

More information about the BreachExchange mailing list