Shutting the barn door after the horse has bolted
You know the above saying? Well, over the last week, we’ve seen some data breach notifications come through a year or more after a ransomware attack was detected. Offering those affected free access to identity theft protection services over a year after their data has been stolen is a bit like trying to put a bandaid on a bullet hole–it just ain’t going to cover it. You need to stop the bleeding early, or suffer the consequences.
This week, Anna Jaques Hospital in Massachusetts started notifying 316,342 people of a data breach following a ransomware attack in December 2023. Money Message claimed the attack on its data leak site in January after allegedly stealing 500GB of data. While Anna Jaques posted a notice about this potential breach on its website in January, it took a further 11 months to reach out to those affected.
Shall we take bets on how many of the 316K+ people affected 1) saw the notification on the hospital’s website in January and 2) took notice?
Travel giant Sabre also began issuing notifications to 29,590 following an attack it discovered in September 2023, which was claimed by Dunghill Leak at the time. Not only that but Dunghill Leak alleged to have stolen a whopping 1.3TB of data and Sabre also admitted the hackers had access to its systems from July 2022!
Even if we allow some wiggle room for how long it takes to uncover an infiltration by cybercriminals into a network, the notification from Sabre still comes 15 months too late.
Schools out…but it’s no time to celebrate
“Sorry, kids…classes are cancelled!”
No, it's not snowing. The school’s just been hit by a ransomware attack.
Last month, Greater Lawrence Technical School had to close schools from November 12 to 15 as it battled to contain an attack via the group Abyss. Meanwhile, after also overcoming an attack last month, Rutherford County Schools now faces a 20 bitcoin ($2M) demand from ransomware gang, Rhysida.
This month, we’ve already noted four other confirmed attacks on Pembina Trails School Division, Marietta City Schools, Wayne-Westland Community Schools, and Highland Park Independent School District. And with the latter causing a week-long outage, it remains to be seen how many kids get an earlier Christmas break than intended this year.
How long is too long to report on a breach?
We get it. This is an exceptionally tough question…for legal executives and legal teams. Not for security professionals. We know that the ethical thing to do is to report on a breach as soon as it’s been verified, and then to offer further information to the potentially-impacted individuals as information comes out.
But legal and communications teams are gonna do what they do best: stall and try to navigate around bad PR.
To review, though:
- General Data Protection Regulation (GDPR): Requires breaches to be reported within 72 hours of becoming aware of the breach if it poses a risk to individuals' rights and freedoms.
- California Consumer Privacy Act (CCPA): Doesn’t specify a time frame but requires “reasonable notification,” which typically aligns with industry standards (often within 30 days).
- State-Specific Laws (U.S.): Many states mandate notification to affected parties within 30–45 days.
And then:
Industry-Specific Standards:
- HIPAA (Healthcare, U.S.): Requires reporting within 60 days of discovery.
- PCI DSS (Payment Card Industry): Encourages prompt reporting to relevant parties but leaves timelines flexible.
The answer is “it depends”, but almost universally, the reality is that if your company isn’t reporting within 2-3 months, you’ve probably unethically waited too long to help impacted individuals avoid negative outcomes to stolen data.
There’s a reason our post on Network Monitoring Tools is one of our most popular. The sooner you know about an intrusion, the sooner you can both solve it and report on it. Yes, there are practical (usually legal or financial) reasons to wait, but not reporting for over a year? C’mon now.
Until next week. Let’s keep that zero-day count at zero!