Shostack + Friends Blog Archive


How to mess up your breach disclosure

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers.

No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary.

It’s always nice to see clear reminders that the way to get people excited about a breach is to dribble out the information. For what little the public knows, to help Brian Krebs piece together the story and decide how the public will come to understand it because Visa and Mastercard aren’t talking, see MasterCard, VISA Warn of Processor Breach.

4 comments on "How to mess up your breach disclosure"

  • Dissent says:

    But, but, but…

    It’s not Visa’s or MC’s responsibility or place to notify consumers directly – they have no contractual relationship with consumers. It’s the breached entity’s responsibility – and their responsibility is to notify their clients.

    I’m guessing that they are still in the process of doing that and have not issued any public disclosure as yet to give their clients a chance to get ready for their customers’ flak/concerns.

    Breach disclosure dominoes.

    Actually, when I saw your blog title, I thought you were going to be blogging about this example of a messed up disclosure:

  • JT says:

    I disagree re Visa & Mastcard. It’s their Ship – they have to notify.

  • Dissent says:

    JT: If you want to change the contractual relationship to make them responsible, I’m with you 137%. But it is what it is right now, and criticizing them when they haven’t violated their legal obligations seems unhelpful. As far as I’m concerned, it’s the processor who messed up the disclosure by not getting ahead of the disclosure so that it came out from other sources.

  • Hello,
    Even though the responsibility for the data breach belonged to the security vendor, we believe it was the affected companies responsibility, Visa and MasterCard, to announce the data breach to their customers, since they were directly prejudiced. Once the rumors got out of control, the 2 companies looked guilty in the eye of the public opinion. Please find here some considerations in regards to where to responsibility lies and how to train people to counter malicious acts:

Comments are closed.