Educause Security Discussion mailing list archives
Re: How do you handle "indirect" data breaches from "Have I Been Pwned"
From: "Hillhouse, Bob (Bob)" <0000010ac8b8c023-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Fri, 16 Aug 2019 13:46:54 +0000
Jim, We have attempted to be “helpful” in the past by informing our constituents of a breach. It generated questions about how “we” protect their information even though the disclosure had nothing to do with our institution beyond the use of their institutional email address as a username. There was also a degree of panic (which isn’t ALL bad). Communicating WHY an institutional department is contacting them about their fitness, or bank, or whatever is challenging; helping them understand the connection is challenging. We always make it clear that we’re informing them as a public service and use it as a chance to create awareness in regards to their “digital double”; that online form of themselves that lives on the interweb. We also find that a lot of folks forget that they had even signed up or used their @edu address. Should we notify them? Carefully, IMHO. -- Bob Hillhouse, CISSP Associate CIO & CISO The University of Tennessee, Knoxville From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" <jbole () STEVENSON EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Friday, August 16, 2019 at 9:39 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] How do you handle "indirect" data breaches from "Have I Been Pwned" How do you handle third-party data breaches that could have an indirect connection to your institution, such as individual using their .edu account for personal cloud service, etc? We subscribe to haveibeenpwned.com’s domain search notification service. We’ve seen a steady increase in notifications around these types of services: * Chegg * Canva * Adobe And then there are the usual personal services (fitness apps, tickets, etc.) Should we notify potentially impacted accounts? If so, what guidance should be provided? Seems there’s a balance in being helpful but at the same time not assuming any liability or support burden. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- How do you handle "indirect" data breaches from "Have I Been Pwned" Jim A. Bole (Aug 16)
- Re: How do you handle "indirect" data breaches from "Have I Been Pwned" Hillhouse, Bob (Bob) (Aug 16)