The Reign of Evasive Language in Most Data Breach Alerts
Isn’t it a rare day when we don’t receive a new batch of data breach alerts? Some firms, at least, show some regard for the recipient in their breach alerts. The ones I favor treat victims with the decency of mirroring Detective Joe Friday from “Dragnet,” known for his no-nonsense, “just the facts, ma’am” style of communication – subsequently informing victims of the specific risks they are exposed to and how to counter them.
Some take a more dubious approach. Picture law enforcement informing someone about the demise of a loved one by leading with: “The safety of our town’s inhabitants is of utmost importance to us.”
An excessive number of businesses experiencing data hacks often resort to promotional rhetoric, downplaying their accountability, and at times, even partaking in business self-promotion in their breach alerts. Frequently, they employ equivocal language and indirect expression.
For the sake of straightforwardness, or pointing out compromised entities that fail to acknowledge their shortcomings – here’s what every organization facing a security breach should steer clear of:
“We greatly value the protection of our client’s information.” Words often don’t carry much weight, particularly when this is the typical introductory phrase, implying, “We’ve experienced a data leak.” Wouldn’t it be better to state it outright?
“We place our clients at the heart of all our operations.” This trite phrase was echoed this week by Jeff Walsh, the head of LoanDepot’s mortgage division, in a statement that highlighted the company’s failure: thwarting a cyber criminal from pilfering “confidential personal data” of 16.6 million of its patrons.
“We’re delving into a digital mishap.”
Numerous establishments that endure a digital assault or data leak – particularly when it’s tied to ransomware – go to great lengths to label it as something entirely different. Some don’t even formally acknowledge it, other than mentioning a service disruption.
“Offering people complimentary safeguards against identity theft.”
In the gamble of existence, is there a more abundant reward? If fairness prevailed, companies wouldn’t merely “bestow” victimized persons with a service frequently hailed as no-cost, when these individuals didn’t require such service until they were burdened with untangling the chaos created by the compromised organization.
“There’s no proof that your purloined private data has been exploited in a harmful manner.”
Just because we don’t have proof, doesn’t mean it’s a sure sign of innocence. Unless we somehow summon a mythical digital security sprite that can track every bit of misappropriated data to its existing or potential malicious application, this statement holds no weight.
“We’ve given a heads up to the cops and pertinent oversight bodies about this event, just to be on the safe side.” This oft-repeated phrase, as used by LastPass in 2022, seems to work as a way to communicate: “Hey, we’re on it.” Naturally, you’ll never spot: “We neglected our legal duty to alert the authorities and are making a run for a nation devoid of any extradition agreements.” Giving a shout out to the police is a wise move, as the intel gathered could potentially aid them in tracing, derailing, or even nabbing these lawbreakers.
“Measures have been implemented to ensure the recovery of our data.” This is essentially a euphemism for “We’ve compensated the perpetrators with a ransom” in exchange for the assurance of eradicating the stolen information. However, according to cybersecurity experts, there’s no recorded incident in the chronicles of data breaches where stolen data has been verifiably deleted. Regulatory bodies have also made it clear that succumbing to these hollow assurances won’t mitigate any punitive actions they may enforce.
“Change your confidential information.”
Effective alerts for security breaches usually provide steps to follow. Raise your hand if you understand the phrase “change your confidential information,” as suggested by the continuous integration and continuous delivery platform CircleCI following their security incident? Similarly, can we gauge the severity of the security violation at the UK’s massive outsourcing corporation, Capita? The company reported that the intruders had infiltrated “less than 0.1% of its server estate.” Naturally, they didn’t specify whether this was an insignificant portion.
“Nobody is immune to the intricate cyberattacks we face today.”
It begs the question, who hasn’t been compromised? As phrased by LoanDepot in the recent times, “Regrettably, we are part of a society where such attacks are becoming more prevalent and complex, and our sector is not an exception.” This approach to downplay accountability skirts around the issue of blame. Specifically, did the compromised entity fail to invest adequately in robust defenses? Was it lacking a comprehensive, well-practiced incident response strategy that could promptly detect and control any suspicious actions or intrusions?
“It’s uncertain what information the cybercriminals might have gotten their hands on.”
Companies with strong cybersecurity measures in place, particularly thorough logging and surveillance, usually have the ability to piece together what the invaders could have potentially accessed or left undisturbed, and can then alert those affected as needed. However, some find themselves in a pickle, admitting they’re unsure.
“Kudos to our squad.”
LoanDepot deserves another shout-out, after announcing that it had successfully reinstated systems and alerted 16.6 million clients about the theft of their “confidential personal data” earlier this month. It’s now striving for a collective embrace. “I’m incredibly proud of our squad,” stated Jeff Walsh, the head of LoanDepot’s mortgage department, in a declaration. “We’re delighted to be back at our forte: empowering our national clientele to reach their financial aims and home-ownership aspirations.” This, of course, raises the somewhat apparent query: What is it that the firm isn’t exceptional at?
Wrapping Up: Who’s the Casualty?
Does any regulation or guideline exist that fines corporations for bombarding victims of data breaches with banal gibberish or uncontrolled hype? Regrettably, there isn’t one, unless the companies misrepresent the truth (refer: Blackbaud’s $3 million penalty for ‘Incorrect’ Breach Information).