Bob Lord 🔐 Dec 26, 2022

"There is no evidence that any unencrypted credit card data was accessed."

This phrase is infuriating for a few reasons. First, it plays to, and reinforces, the false notion that credit card data is the thing you need to worry about in a breach. It is not.

Second, it relies on the phrase "no evidence". An absence of evidence is not evidence of absence.

The authors of these statements know both of those things. If they spent as much time securing their systems as they did crafting subtly deceptive blog posts, we'd all be better off.

Show threadDan GoodinDec 27, 2022
@boblord This comment comes up after just about every breach disclosure. I am curious: what does a company say or do when an investigation is ongoing but so far has not come across any sign of credit card access? Consumers and reporters, inevitably ask about cc aces, so it’s not really an option to simply say nothing. How can a company prove a negative anyway? They can either say it was accessed or they have no indication it was accessed . What more can a breach victim say?
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord saying there is no evidence something was taken without disclosing there is no evidence something was not taken is a bit dissinginuious.
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord I believe there's a Relevant Sagan quote, “Absence of Evidence does not mean Evidence of Absence”.
Show threadDan GoodinDec 27, 2022
@gdbassett @boblord if you’re not going to answer my question about the wording, I don’t think there’s much more for us to discuss.
Show threadmelanie ensign (she/her)Dec 27, 2022
@dangoodin @gdbassett @boblord having written more incident response statements than most CISOs at this point in my career, I find a common pitfall is expecting a single statement to address the concerns of all stakeholders. What works for infosec doesn’t work for everyone.
Good IR comms is an orchestrated symphony of tailored comms that answer different questions for each audience. These various communications align, but they’re not identical.
Show threadEn3pY - Sebastian Zdrojewski

@Wednesday @dangoodin @gdbassett @boblord writing an IR requires also two things that are fundamental (and rare to find):

- knowledge of the topic
- acknowledgment from the top-management

The second part is the weakest link, as usually there's more political concerns about disclosures rather than facing the issue.

In my personal experience, the bigger the company, the more often the answer is "it's your fault (CISO) - farewell". Scapegoating is not the solution, but nobody from "above" will ever accept it with the current mindset IMHO.

There's a cultural issue about data security more than anything else.

Dec 27, 2022 at 2:37pmWeb