Bob Lord šŸ” Dec 26, 2022

"There is no evidence that any unencrypted credit card data was accessed."

This phrase is infuriating for a few reasons. First, it plays to, and reinforces, the false notion that credit card data is the thing you need to worry about in a breach. It is not.

Second, it relies on the phrase "no evidence". An absence of evidence is not evidence of absence.

The authors of these statements know both of those things. If they spent as much time securing their systems as they did crafting subtly deceptive blog posts, we'd all be better off.

Show threadDan GoodinDec 27, 2022
@boblord This comment comes up after just about every breach disclosure. I am curious: what does a company say or do when an investigation is ongoing but so far has not come across any sign of credit card access? Consumers and reporters, inevitably ask about cc aces, so itā€™s not really an option to simply say nothing. How can a company prove a negative anyway? They can either say it was accessed or they have no indication it was accessed . What more can a breach victim say?
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord saying there is no evidence something was taken without disclosing there is no evidence something was not taken is a bit dissinginuious.
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord I believe there's a Relevant Sagan quote, ā€œAbsence of Evidence does not mean Evidence of Absenceā€.
Show threadDan GoodinDec 27, 2022
@gdbassett @boblord if youā€™re not going to answer my question about the wording, I donā€™t think thereā€™s much more for us to discuss.
Show threadmelanie ensign (she/her)Dec 27, 2022
@dangoodin @gdbassett @boblord having written more incident response statements than most CISOs at this point in my career, I find a common pitfall is expecting a single statement to address the concerns of all stakeholders. What works for infosec doesnā€™t work for everyone.
Good IR comms is an orchestrated symphony of tailored comms that answer different questions for each audience. These various communications align, but theyā€™re not identical.
Show threadBob Lord šŸ” Dec 27, 2022

@Wednesday @dangoodin @gdbassett

Great point and very true. I still think we can get better at this.

Show threadDan GoodinDec 27, 2022
@gdbassett @Wednesday @boblord This is precisely the kind of IR expert POV needed here. Melanie, any thoughts about the overall adequacy of the Lastpass disclosure or specific things that would have made it better?
Show threadmelanie ensign (she/her)
@dangoodin @gdbassett @boblord I donā€™t know anything more than you about what LastPass has to work with here & those details really matter for a credible assessment. Generally speaking, the goal is to uplift people to a higher security literacy than BEFORE the incident, eg explain why you included (or not) certain details, eg ā€œwe expect users will be concerned about cc data, so we looked into it, but hereā€™s our primary focus (& why)ā€¦ā€
Dec 27, 2022 at 4:56amWeb