What constitutes a security breach?

Infosec_Sam

So I came across this article today, which talked about TeamViewer confirming an undisclosed breach from back in 2016. To summarize: a Chinese group exploited the Winniti backdoor to breach the company, but they failed to find any evidence of data being stolen during the incident. There was also no evidence found that hackers stole source code, even though they had access to it. Because of this, TeamViewer decided not to publish a security breach notification to their users.

So, my question is: should companies be required to disclose security breaches, even though no records were stolen? Clearly there's no need to report every phishing email that makes it through the filter or every blanketed DoS attack, but where should the line be drawn?

Full article here »

TechGromit

I find it difficult to believe there company was broken into and the hackers don't bother to steal anything. The issue probably was they were not logging the right type of events so they have absolutely no idea what was taken or not taken.  As for reporting, if no users records were accessed, than what harm is it to the public? I believe the way the laws are written now, if there any indication that users information was accessed and they were not logging this to see how many records were exposed, they have to report all users records may have been compromised, even if the hackers really only got a few hundred, they still have to report there user base of millions of records was compromised. This is why setting up the right kind of logging is critically important. If a company can prove that only a small number of records were exposed, they can report that. It looks far better to say the hackers only got 10,000 records than to have to say they stole 20 million.