What constitutes a security breach?

Infosec_SamInfosec_Sam Security+, CCENT, ITIL Foundation, A+Madison, WIAdmin Posts: 517 Admin
So I came across this article today, which talked about TeamViewer confirming an undisclosed breach from back in 2016. To summarize: a Chinese group exploited the Winniti backdoor to breach the company, but they failed to find any evidence of data being stolen during the incident. There was also no evidence found that hackers stole source code, even though they had access to it. Because of this, TeamViewer decided not to publish a security breach notification to their users.

So, my question is: should companies be required to disclose security breaches, even though no records were stolenClearly there's no need to report every phishing email that makes it through the filter or every blanketed DoS attack, but where should the line be drawn?

Full article here »
Community Manager at Infosec!
Who we are | What we do

Comments

  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,000 ■■■■■■■■□□
    edited May 2019
    I find it difficult to believe there company was broken into and the hackers don't bother to steal anything. The issue probably was they were not logging the right type of events so they have absolutely no idea what was taken or not taken.  As for reporting, if no users records were accessed, than what harm is it to the public? I believe the way the laws are written now, if there any indication that users information was accessed and they were not logging this to see how many records were exposed, they have to report all users records may have been compromised, even if the hackers really only got a few hundred, they still have to report there user base of millions of records was compromised. This is why setting up the right kind of logging is critically important. If a company can prove that only a small number of records were exposed, they can report that. It looks far better to say the hackers only got 10,000 records than to have to say they stole 20 million.    
    Still searching for the corner in a round room.
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,303 ■■■■■■■■■□
    The absence of evidence in this case is not proof that no records were stolen. 

    How do you know they have the tools and properly configured them to detect the data exfil?  If they don't, then they can certainly say we don't have any evidence of a breach and still have it be a true statement.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
Sign In or Register to comment.