DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A positive example of forthright breach disclosure (1)

Posted on December 17, 2024December 22, 2024 by Dissent

Update: The notification DataBreaches read is not what was sent out to affected consumers. That one can be found on pages 3 and 4 of the embedded file.  The consumer version is not as detailed as the disclosure I have raved about. But do read about the one they sent New Hampshire that was excellent.


DataBreaches will leave it to others to critique Byte Federal’s data security prior to their reported incident(s), but DataBreaches is giving them a huge “bravo!” for their detailed disclosure that explains, to the best of their knowledge, what happened, when, and how to approximately 58,000 customers.

As just two examples taken from their disclosure:

On September 30, 2024, Byte Federal became aware of an unauthorized attempt to manipulate our database. However, there was no indication at the time that any customer information was at risk. We immediately blacklisted the attacker’s public address. By 10:00 AM, we had identified the attacker’s IP addresses leading to a temporary halt in operations and database lockdown. Further investigation revealed that the breach originated from a misconfiguration in our web server, which exposed a Personal Access Token in the .git/config file of our staging website. This token granted the attacker access to our GitLab code repository, allowing them to extract hardcoded data.

[…]

The data was encrypted, but the attacker also acquired the encryption key. We confirm that no customer funds or assets were lost, but we cannot confirm whether the data was sold on the dark web or otherwise shared. We have no way of knowing the attacker or their origin.

What a pleasure not to read some entity claiming that “they have no evidence of misuse or fraud…”

This is how to do disclosure transparently, folks.

byte-federal-20241213

The update has been edited to point to pages 3 and 4 of the embedded file rather than an external source. 

Category: Commentaries and AnalysesOf Note

Post navigation

← Securities and Exchange Commission Settles Charges Against Flagstar for Misleading Investors About Citrix Data Breach
CISA orders federal agencies to secure Microsoft cloud systems after ‘recent’ intrusions →

2 thoughts on “A positive example of forthright breach disclosure (1)”

  1. Anessa Santos says:
    December 22, 2024 at 7:45 pm

    You should know that the notice a company sends out to its customers cannot contain the same information as the one sent to the state Attorney Generals. This is because Massachusetts law about data breach notification completely prohibits the customer notice from including any details about “the nature of the breach of security or unauthorized acquisition or use.” Mass. Ann. Laws ch. 93H, § 3(b). In contrast, most state laws require these same details to be included in the notice to the state. This is just one of a myriad of reasons why we desperately need one federal omnibus rule that governs privacy and data protection for the whole nation.

    1. Dissent says:
      December 22, 2024 at 9:12 pm

      I am used to Massachusetts notifications being devoid of useful information. But this was to the New Hampshire Attorney General’s Office. And as you likely know, in many submissions to that state AG’s office, the letter is almost identical to what is sent to consumers, although the one to the state must include the number of New Hampshire residents affected. In this case, the one to the state and the one to consumers were significantly different, in my opinion. I was just so excited reading the first two pages of the file that I neglected to read the next two, which were the letter to consumers. But we definitely need one federal bill — as long as it is at least as strong as the strongest state law.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.