Educause Security Discussion mailing list archives
How do you handle "indirect" data breaches from "Have I Been Pwned"
From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Fri, 16 Aug 2019 13:39:04 +0000
How do you handle third-party data breaches that could have an indirect connection to your institution, such as individual using their .edu account for personal cloud service, etc? We subscribe to haveibeenpwned.com's domain search notification service. We've seen a steady increase in notifications around these types of services: - Chegg - Canva - Adobe And then there are the usual personal services (fitness apps, tickets, etc.) Should we notify potentially impacted accounts? If so, what guidance should be provided? Seems there's a balance in being helpful but at the same time not assuming any liability or support burden. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
<<attachment: winmail.dat>>
Current thread:
- How do you handle "indirect" data breaches from "Have I Been Pwned" Jim A. Bole (Aug 16)
- Re: How do you handle "indirect" data breaches from "Have I Been Pwned" Hillhouse, Bob (Bob) (Aug 16)