File this under “How NOT to issue a press release.”
Korn/Ferry reportedly issued some statement that they were the victim of a criminal attack. They note that the databases typically do not hold credit cards, Social Security numbers or health information, but they fail to indicate what types of personally identifiable information may have been involved and whether they’re notifying any individuals. Nor do they say when the attack occurred and when and how they learned of it. So what data are involved? And what do they mean by APT? SQL injection?
C’mon guys, there’s been enough written about reporting breaches for Korn/Ferry to have done a much better job on disclosing a breach.
Update: Here’s their press release, and it’s as nonsubstantial as I had indicated.
Updated Oct. 12: Thanks to the California AG site, we now have some details. See this post.