Organizations sometimes ignore breach notifications because of a loophole in virtually all privacy regulations – they do not address third-party notifications, so companies feel free to ignore them.
Whether deliberate or a casualty of the notification overload problem, ignoring third-party notifications of data breaches is a big problem for the breached company. The longer the data is available to threat actors with no breach remediation efforts underway, the more damage can be done as data may be used to access more data, and when the breach finally is “discovered,” the cleanup will be that much worse (and expensive).
If you are notified by a 3rd party that you have been breached:
1) Be receptive, taking an defensive approach can result in breakdown of communication and not getting the details you need to stop or mitigate the exposure. Some times tipsters are underage and have stumbled on data, they may mean well but they may panic if you sound accusing when asking how and where they got the information.
2) Be alert, you may have warnings or be able to see chatter in social media that could alert you to an issue. Monitor these channels closely and have a path for these communications to be send to for investigation.
3) Be suspicious, never share sensitive information, provide access to systems or make payments to anyone without confirming who they are via second form of communication and with advice of incident responders and legal.
Steps to take NOW:
4) Consider adding “security.txt” into your website as a point of contact to acknowledge that you are receptive to security researchers.
5) Be prepared, have the resources that you need at the ready to help you with legal, forensics and public relations aspects of a potential incident. We have a unique and cost-effective service that gives you 24/7 access without a large retainer.
