From the we-tried-to-notify-you dept. Brian Krebs reports:
Notifying people and companies about data breaches often can be a frustrating and thankless job. Despite my best efforts, sometimes a breach victim I’m alerting will come away convinced that I am not an investigative journalist but instead a scammer. This happened most recently this week, when I told a California credit union that its online banking site was compromised and apparently had been for nearly two months.
On Feb. 23, I contacted Coast Central Credit Union, a financial institution based in Eureka, Calif. that serves more than 60,000 customers. I explained who I was, how they’d likely been hacked, how they could verify the hack, and how they could fix the problem. Two days later when I noticed the site was still hacked, I contacted the credit union again, only to find they still didn’t believe me.
Read more on KrebsonSecurity.com.
Brian – and this site – and Chris Vickery – and JigSaw Security – and most researchers I’ve spoken with – all continue to have problems making notifications. Brian describes the experience of Alex Holden:
Holden said his company has been reaching out to the affected site owners, but that it hasn’t had much luck getting responses. In any case, Holden said he doesn’t relish the idea of dealing with pushback and suspicion from tons of victims.
“To be fair, most vulnerable sites belong to individuals or small companies that do not have contacts, and a good portion of them are outside of US,” Holden said. “We try to find owners for some but very few reply.”
So years later, we’re still experiencing the same challenges while consumer data remains at risk or compromised. When, oh when, will we give up on self-regulation and require entities to have a notification system available via their web sites?
But even if we had such a requirement, how do we deal with the fact that they may not trust the notifications and view us as criminals or scammers? Most of us who provide notifications do so as a courtesy and for the public good. Some have already given up on trying to make notifications privately or at all. Is this what we really want? If not, where do we go from here?