Bob Lord šŸ” Dec 26, 2022

"There is no evidence that any unencrypted credit card data was accessed."

This phrase is infuriating for a few reasons. First, it plays to, and reinforces, the false notion that credit card data is the thing you need to worry about in a breach. It is not.

Second, it relies on the phrase "no evidence". An absence of evidence is not evidence of absence.

The authors of these statements know both of those things. If they spent as much time securing their systems as they did crafting subtly deceptive blog posts, we'd all be better off.

Show threadDan GoodinDec 27, 2022
@boblord This comment comes up after just about every breach disclosure. I am curious: what does a company say or do when an investigation is ongoing but so far has not come across any sign of credit card access? Consumers and reporters, inevitably ask about cc aces, so itā€™s not really an option to simply say nothing. How can a company prove a negative anyway? They can either say it was accessed or they have no indication it was accessed . What more can a breach victim say?
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord saying there is no evidence something was taken without disclosing there is no evidence something was not taken is a bit dissinginuious.
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord I believe there's a Relevant Sagan quote, ā€œAbsence of Evidence does not mean Evidence of Absenceā€.
Show threadDan GoodinDec 27, 2022
@gdbassett @boblord if youā€™re not going to answer my question about the wording, I donā€™t think thereā€™s much more for us to discuss.
Show threadmelanie ensign (she/her)Dec 27, 2022
@dangoodin @gdbassett @boblord having written more incident response statements than most CISOs at this point in my career, I find a common pitfall is expecting a single statement to address the concerns of all stakeholders. What works for infosec doesnā€™t work for everyone.
Good IR comms is an orchestrated symphony of tailored comms that answer different questions for each audience. These various communications align, but theyā€™re not identical.
Show threadrhcmutsDec 27, 2022
@Wednesday @dangoodin @gdbassett @boblord what i don't like is other password managers gloating and making fun of the situation. Looking at you, #1Password . You better make sure you're all shored up!
Show threadBob Lord šŸ” Dec 27, 2022

@rhcmuts @Wednesday @dangoodin @gdbassett I have not seen that and hope it's not true.

Back in the day Jim Barksdale warned Netscape employees to not gloat over IE vulnerabilities. He reminded us that airlines don't take out ads touting their safety record when a competitor has a plane crash. It's bad for the entire industry.

Show threadrhcmuts
@boblord @Wednesday @dangoodin @gdbassett on Twitter :
Dec 27, 2022 at 4:51amWeb
Show threadrhcmutsDec 27, 2022
@boblord @Wednesday @dangoodin @gdbassett I mean, even as an unrelated observation, it's pretty tone deaf.
Show threadmelanie ensign (she/her)Dec 27, 2022
@rhcmuts @boblord @dangoodin @gdbassett
If true, itā€™s not very smart. We all live in glass houses.