From a bystanders point of view, this seems like a 'fake' plateau of concern followed up with business as usual for almost all companies. From the companies that have seemingly no concern or timeline for the real victims, us. "Marriott is yet to offer more detail on just how its Star wood database was stolen. The original hack was traced back to 2014, but no specific month or date was given." So this attack has been happening for a while, and here at the end of December, we still don't know much more about the attack. While there is responsible disclosure if the hack was a zero-day, they have yet to confirm or deny what it actually was.
 |
| Why is this considered the only required public statement for a breach? |
I'd like to see a governance discussed that states requirements for data types held by a business. For instance, if you want to store a customers payment information, you must have x,y,z requirements in place. If you want to hold onto social security information, your organization must use X encryption, have systems, air-gaped, etc. These systems have to be inspected, have proof of regular system maintenance and such.
Thankfully, I stumbled upon this site which tracks incidents that are reported: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. While it is a great resource to query against, as a user we are concerned about our information. Here is a site that shows us if our email has ever been 'acquired' without the company letting us know: https://haveibeenpwned.com/
No comments:
Post a Comment