On January 16, DataBreaches.net attempted to notify Florida International University about a possible hack after seeing email addresses and plain text passwords of what appear to be faculty and students at FIU have been dumped on a paste site. This site sent FIU a sample of the records in the paste with a link to the paste, noting that there were about 160 addresses with passwords in one section of the data dump, and that another section included first and last names, usernames, encrypted passwords, and email addresses.
The paste had been online since January 10.
DataBreaches.net received no response at all to the attempted notification.
On January 27, DataBreaches.net sent a second notification to FIU, this one to [email protected].
And…. nothing. No response at all.
This continues to happen waaaaay too often.
It’s Data Privacy Day. How about we work on getting all entities to post a link next to their “privacy policy” link on their home page where white hats and others can report security breaches or concerns? And then how about we get entities to understand that they really need to respond to attempted notifications?
It’s part of incident response, folks. Don’t you DARE tell us, “We take security very seriously” when you don’t have an obvious way to even report a security breach, because, frankly, I just won’t believe you.