back to article ICO, forgive me – it has been three weeks since I discovered my breach

Businesses waited an average of three weeks after discovering a data breach to report it to Britain's privacy watchdog before GDPR came into force – with many waiting until the end of week to 'fess up. According to an analysis of the 181 data breach reports submitted to the Information Commissioner's Office in the year ended 5 …

  1. Anonymous Coward
    Anonymous Coward

    What is the premise of this article?

    Unlike Hollywood, where any unauthorised access is heralded by big flashing signs and screaming sirens, the reality is that it can be difficult for a company to identify when and if a breach has occurred, particularly if the miscreants just silently login and copy data.

    If you cast your eye over a typical businesses firewall logs, you can see attempts to gain access or to probe for weaknesses every hour of every day, but being able to identify a successful attack from all the background noise is difficult.

    Even with the very best IPS / IDS, WAF and other security tools, if someone uses stolen credentials to access a legitimate account, there is no easy way to distinguish that access from a legitimate user. It is usually only after stolen data has been released that the target business knows there has been a breach, and can then check back in the logs to see when and how it was done, and then report it.

    If a malicious actor gets in using valid credentials, and extracts data, but doesn't broadcast that fact, then the victim may never know it ever happened.

    It is therefore hardly surprising that businesses are slow to report a breach. They will want to make damn sure that there has been one, before reporting it.

    1. DavCrav Silver badge

      Re: What is the premise of this article?

      "It is therefore hardly surprising that businesses are slow to report a breach. They will want to make damn sure that there has been one, before reporting it."

      I think the point was the gap between finding a breach and reporting it, not the gap between there being a breach and it being found.

      1. Yet Another Anonymous coward Silver badge

        Re: What is the premise of this article?

        That's the posters point, when do you "discover" a breach?

        If you see an increased number of connections in the logs, or a few customers call to change their credit card numbers it could take weeks to build up enough evidence that there is an actual security failure.

        Of course, you could also "continue to investigate" for years before feeling that you have enough evidence - just like government inquiries

    2. Gene Cash Silver badge

      Re: What is the premise of this article?

      This is noise. The article takes pains to say "discovering a breach" - the point at which someone technical turns to someone managerial and goes "oh shit, we've been haxz0red"

      The point of the article is that management then goes on a CYA binge and tells everyone to keep schtum, until they're forced to come clean for some reason.

    3. Anonymous Coward
      Anonymous Coward

      Re: make sure there is one before reporting

      Worked for a company in a capacity that had me well aware of hazardous material spills. They regularly delayed reporting using the claim that they had to be informed of, or confirm there was, a spill before reporting a spill.

      They also had a habit of under-recording the size of the spill (just under legal limit) to avoid having to report or explain delays when a spill could not be hidden.

      That company, and it's industry, only ever mentioned the minimum quantity involved. If one liter contaminated one thousand liters it would only ever be referred to as one liter, even as the tanker trucks moved in for clean up the thousand liters of hazardous material.

      I tell that story to remind people that publicly traded for profit business have one, and only one, driving purpose. To make money. Any efforts, any expenses, can only be justified by profit. Even charity has to give a ROI in PR or by ensuring support from "key" community members.

      Under reporting is to be expected and can only be avoided by making companies pay far more (orders of magnitudes more) in fines than it costs them to act in a safe and responsible manner.

      Putting board members in jail is so effective that businesses have spend considerable time and money creating a system where today that is almost impossible. IMO jail of board members and owners should be brought back as an option for companies failing to operate in a responsible manner.

      Yes it is hard to operate responsibly and doing so while others do not puts companies at a major disadvantage but IMO demanding anything less is a race to the bottom.

    4. Anonymous Coward
      Anonymous Coward

      Re: What is the premise of this article?

      Very true. And if you work for a very small charity with little money it's also very difficult. I'm not experience enough to know what to look for. We had a minor breach that had lasted for months before being spotted. With Office 365. 2FA was never turned on which I warned about months before, but for certain reasons (users not understanding it) it was never implemented. During this time someone had guessed/got hold of a users 365 password. They quietly got on, before I'd even started working there, and put a redirect to their own burner e-mail address. They'd crafted rules on web mail that filtered down to the Outlook client, to hide the redirects by making them go straight to the deleted folder.

      No one was looking for this, so it was never spotted until one day the burner e-mail address stopped working. When you'd e-mail him, the genuine user, you'd get a bounce back about the mail not being delivered to the external hotmail burner account. That was the only time the redirect was noted. It was also at that point we noted the rule to warn us when a redirect was set on a mailbox to an external e-mail, wasn't actually working. Hence we never knew about it.

      Such a simple breach but as we were never looking for it, we never spotted it. And don't have the funds for a proper security engineer.

      It was reported to the ICO straight away however. Looking through the users mailbox over those months, nothing was ever sent to that mailbox that was of any interest in the end.

  2. BebopWeBop Silver badge

    I am amazed that is that the average length of time is so short, although obviously some companies (such as the suspected Uber breech) skew figures. A median value even without a distribution would be useful in such a report.

    From 'anonymous' above, I could not agree more. Name and shame which will drive some consumer resistance in order to add pressure to these lazy bastards seems essential. I know there will be an argument that this might deter some of them from reporting, but an independent bounty on 'spots' of GPDR breeches combined with punitive fines (which will pay for the bounty) would be a welcome addition.

  3. Doctor Syntax Silver badge

    What's missing from this is any account of the action taken by ICO to fine those who have delayed. They have now been given substantial powers. We need to see them used. Unless offenders see that there are very real penalties for delaying they will continue to delay and hope that the delay can become permanent.

    1. Anonymous Coward
      Anonymous Coward

      "What's missing from this is any account of the action taken by ICO to fine those who have delayed."

      The article covers data to April 2018, 1 month prior to the introduction of GDPR. Under the old Data Protection Act, I'm not aware of there being a reporting requirement.

  4. I am David Jones

    Dodgy stats

    “nearly half of all breaches (87) were reported to the ICO on a Thursday or Friday.”

    Interesting fact: nearly half of all working days are a Thursday or Friday.

  5. Anonymous Coward
    Anonymous Coward

    Careful of Win10 Privacy toggle switches, not all is what it seems, a switch is not always a switch.

    Windows 10 toggle switches don't always set themselves when you think you've set them.

    Windows 10 toggle switches seem to have a time delay of 30 seconds, after you set them, so if you quickly switch a toggle switch such as the advertising ID (to change it), it will have no effect unless you leave the switch toggled for at least 30 seconds, after closing the Privacy Settings window.

    This is the type of deception we have to deal with, regards Privacy.

    Test it yourself with CCleaner, new cookies won't be generated initially, but only after 30 seconds after toggling the advertising ID switch, is switched, and only after the Privacy settings window is closed.

    There is something going on here, which isn't exactly honest, regards Microsoft.

  6. The JP

    In the real world...

    ...lots of these breaches are not very big and not very exciting. Think documents left on the bus rather than cyber attackers.

    Thought process if the breach occurs on a Monday - Lets find out what happened and wait until the end of the deadline to make sure we have all the facts.

    Thought process if the breach occurs on a Thursday - Do I really want to spend my weekend sorting this out or shall I just chuck the notification on Friday afternoon...?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021