BreachExchange mailing list archives
Re: confirming victims of data breaches?
From: "Mike Simon" <msimon () creationlogic com>
Date: Tue, 22 Jul 2008 09:16:34 -0700
Interesting discussion, and great insight from each of you. One of the problems I wrestle with is that one cannot always be clear about what records were actually compromised. In a situation where (for example) a hacker gains access to a transaction stream, the hacker doesn't get the whole database, but just what flowed by while they had access. In that case, it should be theoretically possible to notify only those persons who's data was exposed during that window. I'm usually all for broad notification and information sharing, but the expenses of notification and remediation on a per-record basis could mean the difference between a minor incident for the company and bankruptcy. WRT this thread, as long as you have a handle on who's data was exposed, you could certainly still respond to queries from customers, but as was mentioned earlier, you would need extraordinary means of authenticating the caller/inquirer so as to not further compromise customers. At some price point per record, it becomes cost effective to do the analysis and notify only the affected rather than pay for notification, credit monitoring and such for your whole database. Mike Simon _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- confirming victims of data breaches? Rob Shavell (Jul 21)
- Re: confirming victims of data breaches? Brad Putnam (Jul 21)
- Re: confirming victims of data breaches? DAIL, WILLARD A (Jul 22)
- Re: confirming victims of data breaches? Mike Simon (Jul 22)
- Re: confirming victims of data breaches? DAIL, WILLARD A (Jul 22)
- Re: confirming victims of data breaches? DAIL, WILLARD A (Jul 22)
- Re: confirming victims of data breaches? Brad Putnam (Jul 21)