mailing list archives
Re: Knock, knock. Who's there? No one.
From: "Dissent" <admin () databreaches net>
Date: Tue, 26 Feb 2013 13:29:48 -0500
Al Mac asks about the next "civilized step" when attempts to notify an
entity of a breach have failed.
Apart from the fact that I'm usually not feeling particularly
civilized at that point, I've actually used some of Al's suggestions
at times, with varying degrees of success:
Because of the nature of the information in a data dump, I once called
the Texas Attorney General's Office and spoke to one of their
attorneys in the Consumer Protection division. He called the entity
right away and got through. So that's a good strategy to consider
during regular business hours if sensitive data are being exposed.
One strategy Al didn't mention, but may be the most effective, is to
contact local media from that area, which is what I did in this case
after the hospital failed to acknowledge our phone calls or contact
form submission. The reporter got through to them right away. I won't
get into their response to him just now as he'll either report on it
today or tomorrow, or I'll blog about it and name names because it's
not okay to just not respond when someone tries to alert you to a
Note that I do not recommend contacting the media first - I'm only
suggesting it if attempts to reach the entity have failed.
A third strategy I think I may choose to use more of in the future is
to send one notification/make one call and as part of the message say,
"I will be publishing this within the next 48 hours if I don't hear
from you with information to the contrary." Maybe that will get some
entities off the dime to respond. I do know that I had made repeated
attempts to notify WellPoint of their massive breach involving patient
information years ago and got absolutely no response over several
weeks until I sent one final email saying I was going to publish in 48
hours and they'd better secure their server before I published. That's
when I finally got a response.
It's a shame we have to go through this when we're just trying to help
improve data security.
In total frustration, I've outlined some thoughts for a federal law to
facilitate notification/alerting. I've sketched out my thoughts here:
http://www.databreaches.net/?p=26909 and your feedback in the comments
section would be welcome. My proposal would also immunize people for
responsible disclosure of vulnerabilities.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.