Closing the Regulatory Loophole: Third Party Breach Notification

Written by

According to AT&T’s A CEO’s Guide to Navigating the Threat Landscape report, approximately 50 percent of data breaches are first detected by the breached company’s employees. What about the other 50 percent? Those notifications are more-or-less evenly distributed across law enforcement, customers and service providers.

What the report does not measure (because it’s impossible) is how often companies ignore breach notifications from third parties that are not under the employ of the company. Yes, you read that right – some companies ignore breach notifications if they are not from employees, customers, law enforcement, or hired service providers. The reason for this lies in a loophole in virtually all privacy regulations – they do not address third-party notifications, so companies are free to ignore them.

This is a problem our research team at GroupSense has encountered on many occasions. For example, while conducting reconnaissance for one of our customers, we once found a database of thousands of resumes for sale, complete with all the personally identifiable information.

The source was a multi-national human-resources recruiting firm. When we discover this kind of “fresh” stolen data, our policy is to notify the breached company as a courtesy. In this case, we reached out over LinkedIn to top-level security personnel at the company, and received no response. We then worked our way down the chain in the organization, again to no avail. (It was clear, however, that our messages were not going unnoticed, because members of the breached organization were checking out our LinkedIn profiles.)

This is just one of many cases where our efforts to notify companies of breaches have been ignored. In fact, we are only successful about 20 percent of the time when we reach out to these companies. The reason? We do not have first-hand accounts of why people choose not to acknowledge our outreach, but our theory is that because breach discovery triggers a painful internal discovery and external notification process, some security leadership would rather remain unaware.

Another reason is likely the sheer volume of solicitations security organizations get from freelancers and scam artists who want to exchange vulnerability information for money. Legitimate sources can get lost in all the noise.

Whether deliberate or a casualty of the notification overload problem, ignoring third-party notifications of data breaches is a big problem for the breached company. The longer the data is available to threat actors with no breach remediation efforts underway, the more damage can be done, and when the breach finally is “discovered,” the cleanup will be that much worse (and expensive).

Further, much of this data can be used to perpetrate other attacks against the company, phishing, fraud, etc. In a world where the effectiveness of incident detection and response has become the measure of cybersecurity competence, ignoring breach notifications from third parties is a fatal flaw. As Gartner says in its Solution Path for Implementing Threat Detection and Incident Response, “Whether it is a standing computer incident response team (CIRT) of 30 people or a single part-time responder, having a dedicated point of contact and, hopefully, a center of excellence for security incident response is essential today.”

All of this circles back to the fact that privacy regulations are not addressing this issue directly. GDPR, for example, states that companies have 72 hours to notify the affected parties when they become aware of a breach. The regulation dictates that “aware” is defined as “reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. If someone you don’t know has reached out stating that your organization has a data leak and you arbitrarily decide this might be a scam and do not acknowledge or pursue, are you “aware”?  Not exactly.

As a result, there is no motivation to listen to third-party notifications, and in most cases there is no single point of contact or dedicated communications channel through which third parties can notify companies of data breaches (hence our use of LinkedIn with the resume breach). 

Regulations always lag reality and at some point this third-party notification problem will be addressed. Until that time, CISOs and other security executives need to resolve this problem by, as Gartner suggests, establishing a point of accountability and communications channel for fielding third party breach notifications.

This may be easier said than done, given the notification overload problem mentioned earlier. However, we have seen it succeed with bug bounty programs and federal government notification channels.

Both of these approaches involve compensation – but paying a little now for a valid breach notification is a better investment than paying a lot to clean up a breach that’s been in threat actors’ hands for months on end.

Most of all, security leadership needs to be wary of this “head in the sand” approach to breach awareness. It can snowball quickly, and the public relations fall-out can be costly.

What’s hot on Infosecurity Magazine?