Ellen Messmer reports:
By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation (FBI). But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance?
Their efforts aren’t always appreciated, either:
In the course of all of this monitoring, Henry says, law enforcement often finds itself in the odd position of having to show companies evidence they have been victimized. And they aren’t always thanked for their efforts. Sometimes, Henry says, companies say “’Please just go away.’” He adds, “It happens all the time.”
Read more on NetworkWorld. It’s an interesting article, and I find it especially interesting to think about situations where law enforcement decides not to come knocking to let a firm know that they are under attack or their data is being stolen or otherwise misused. As a case in point, Experian recently got a lot of very bad press over the Court Ventures/USInfoSearch situation that allowed an overseas criminal to access information in USInfoSearch’s database through a client contract with Court Ventures. Law enforcement was already on to and investigating Ngo when Experian acquired Court Ventures in March 2012, but reportedly never alerted Experian. And because Experian never did its due diligence in a timely fashion, the problem continued for approximately another nine months.
Would law enforcement make the same decision not to notify today? I wonder, but I wouldn’t be totally surprised if they did.