Organizations tend to overlook breach notifications because of a loophole in virtually all privacy regulations. They do not address third party notifications, so companies feel free to ignore them.
Whether deliberate or a casualty of the notification overload issue, ignoring third party notifications of data breaches is a huge problem for the breached company. The longer the data is available to threat actors with no breach remediation efforts underway, the more damage can be done as data may be used to access more data, and when the breach is finally “discovered,” the cleanup will be that much worse – and expensive.
If you are warned by a third party that you have been breached:
- Be suspicious. Never share sensitive information, provide access to systems or make payments to anyone without confirming who they are via second form of communication and with advice from incident responders and legal.
- Be receptive. Taking a defensive approach can result in breakdown of communication and not getting the details you need to stop or mitigate the exposure. Sometimes tipsters are underage and have stumbled upon data. They may mean well, but they may panic if you sound accusing when asking how and where they got the information.
- Be alert. You may have warnings or be able to see chatter on social media that could alert you to an issue. Monitor these channels closely and have a path for these communications to be sent to for investigation.
Steps to take now:
- Create a plan of action.
- Be prepared. Have the resources that you need ready to help you with legal, forensics and public relations aspects of a potential incident.