In reading news yesterday morning, I stumbled across a question posted on StackExchange:
I found my user details on already old, leaked account information list
I came across an old (>3 years) accounts information list which has been leaked to the web. The list included thousands (>10.000) of account details from a service or services. Apparently the event was a small-scale news item back in the days, so there’s not too much to do now, even if the one page I found would be removed from the web right now.
The query continues, but my immediate reaction was:
Why wasn’t this individual notified of the leak by the entity whose data were leaked?
Yes, we know that there are many leaks like this on a daily basis, and this refers to an incident a while back, it seems, but how many people may still be at risk over old leaks because they were never notified that their email addresses and weakly protected passwords were hacked and dumped? How many of us no longer even remember where we had accounts and where we may have used or re-used certain passwords?
At the very least, people should change their passwords on all current accounts to use stronger passwords or passphrases that are not re-used across sites. Now you, as a savvy reader of this site, know that already, but what about the general public?
And we really need stronger data breach notification laws. Even though we should be diligent in trying to protect ourselves, those who collect and store our information should be obliged to notify us when they have suffered a security failure that exposes our information. It really is as simple as that, and don’t let the business lobby spin it or try to convince you that breach notification fatigue will set in. Yes, maybe people will get tired of getting breach notification letters, but I think we need to let people decide whether to act on a notification or not, and not deprive them of the opportunity to make that decision for themselves.