The Gimlet Eye: The Nasty Sound of Silence

Last spring, Verizon Communications Inc. issued its latest report on data breaches, reporting that in 2012 there had been 621 such compromises involving 44.8 million records. But now it turns out that there may have been many more breaches than Verizon or anyone else can count. That’s because these uncounted breaches are going unreported.

Organizations are sustaining data breaches but then hushing them up, according to a survey of corporate security officers released last month by ThreatTrack Security Inc. As we report in our Trends & Tactics section in this issue, some 57% of 200 malware analysts surveyed said they had dealt with breaches that their organization never disclosed, either to customers or anyone else. That figure rises to nearly two-thirds of security officers at organizations with more than 500 employees.

What to make of this? First, it’s no doubt outrageous that these intrusions aren’t being reported. As Aite Group senior analyst Julie Conroy told us, the surprise isn’t that there’s a cover-up, it’s that these analysts were willing disclose it in a survey (though no doubt with a cloak of anonymity). Forty-six states require some form of breach disclosure, and for good reason. Telling customers helps them take action to protect themselves if data thieves try to use or sell card credentials or Social Security numbers, for example.

But disclosure is good for other reasons, too. For example, it helps the malware-analyst community to study and identify variants of malicious code, creating a form of crowdsourcing that can only help isolate and remove the variants the next time they appear.

So why would these organizations suppress news of breaches? The survey respondents weren’t asked to speculate, but embarrassment might be part of the reason. It turns out corporate officers—including top brass—are unwitting accomplices in at least some cases, with such practices as clicking on links in phishing emails, letting family members use their company-issued computer, and visiting infected pornography sites (yes, sadly, you read that right).

It also appears fear of regulatory backlash could account for much of the silence, Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack, told us. Fines and other penalties levied either by the card networks or state regulators “can often be a deterrent to full disclosure,” he said.

Now, fear of penalties is of course no excuse for breaking the rules. But perhaps the rather shocking extent of non-disclosure is an indication that it’s time for the networks to revisit their sanctions. Perhaps they can strike a better balance in protecting the card-carrying public while punishing businesses that, one way or another, allow their systems to be ransacked.

John Stewart, Editor

john@digitaltransactions.net