Bob Lord šŸ” Dec 26, 2022

"There is no evidence that any unencrypted credit card data was accessed."

This phrase is infuriating for a few reasons. First, it plays to, and reinforces, the false notion that credit card data is the thing you need to worry about in a breach. It is not.

Second, it relies on the phrase "no evidence". An absence of evidence is not evidence of absence.

The authors of these statements know both of those things. If they spent as much time securing their systems as they did crafting subtly deceptive blog posts, we'd all be better off.

Show threadDan GoodinDec 27, 2022
@boblord This comment comes up after just about every breach disclosure. I am curious: what does a company say or do when an investigation is ongoing but so far has not come across any sign of credit card access? Consumers and reporters, inevitably ask about cc aces, so itā€™s not really an option to simply say nothing. How can a company prove a negative anyway? They can either say it was accessed or they have no indication it was accessed . What more can a breach victim say?
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord saying there is no evidence something was taken without disclosing there is no evidence something was not taken is a bit dissinginuious.
Show threadDan GoodinDec 27, 2022
@boblord @gdbassett yes, people keep saying that, but they donā€™t say how the disclosure should be worded differently. Do you have specific language in mind?
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord I think you can either caveat the "no evidence" statement with the equivalent of ā€œAbsence of Evidence does not mean Evidence of Absenceā€, or modify the statement to state your lack of evidence in either direction (somewhat unflattering). "We have no evidence for or against breach of unencrypted CC data."
Show threadDan Goodin
@boblord @gdbassett If this this is all the criticism is based on, it feels like a tempest in a shot glass to me.
Dec 27, 2022 at 4:22amWeb
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord when coding breaches I would code the two statements differently. Saying no information indicating a breach suggests it was not a breach (attribute.confidently.data_disclosure.No in VERIS). Saying not enough information to assess if it's a breach implies it's unknown if it's a breach (attribute.confidentiality.data_disclosure.Unknown)