I haven’t kept strict statistics, but in general, most entities that I try to notify of a breach fail to respond at all. Others may respond that they’re looking into claimed hacks, but then fail to get back to me with a definitive answer or statement.
Here’s another case in point:
On January 10, I emailed the Commissioner of Insurance for Kansas, as well as the ks.gov contact, webmaster for their site, and one other.
In my email, I pointed them to a claimed hack that had been posted on #TeamCarbonic’s web site at http://yourattorney.nl/dumps/kansins.txt
The data that had been dumped included residents complaining about auto insurance rate hikes due to credit score rating and how unfair that seemed. Some of the residents complaining included personal information as well as their contact details, such as the individual who noted his wife had been in a coma for two years.
As breaches go, this was not a huge one. There were no SSN in the data dump and no financial account information. But there was personal information such as names, postal and email addresses, phone numbers, and their experience with insurance rate hikes. There was also other kinds of financial information in another database.
Did the Commissioner of Insurance’s office respond to the notification from this site? Did any of those cc’d on the notification respond to the notification?
No, they did not.
Did they investigate and do anything?
We have no clue.
This does not inspire confidence, does it?