Options

What constitutes a security breach?

Infosec_SamInfosec_Sam Admin Posts: 527 Admin
in Security News & Breaches
So I came across this article today, which talked about TeamViewer confirming an undisclosed breach from back in 2016. To summarize: a Chinese group exploited the Winniti backdoor to breach the company, but they failed to find any evidence of data being stolen during the incident. There was also no evidence found that hackers stole source code, even though they had access to it. Because of this, TeamViewer decided not to publish a security breach notification to their users.

So, my question is: should companies be required to disclose security breaches, even though no records were stolenClearly there's no need to report every phishing email that makes it through the filter or every blanketed DoS attack, but where should the line be drawn?

Full article here »
Community Manager at Infosec!
Who we are | What we do
· Share on FacebookShare on Twitter

Comments

  • Options
    TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    edited May 2019
    I find it difficult to believe there company was broken into and the hackers don't bother to steal anything. The issue probably was they were not logging the right type of events so they have absolutely no idea what was taken or not taken.  As for reporting, if no users records were accessed, than what harm is it to the public? I believe the way the laws are written now, if there any indication that users information was accessed and they were not logging this to see how many records were exposed, they have to report all users records may have been compromised, even if the hackers really only got a few hundred, they still have to report there user base of millions of records was compromised. This is why setting up the right kind of logging is critically important. If a company can prove that only a small number of records were exposed, they can report that. It looks far better to say the hackers only got 10,000 records than to have to say they stole 20 million.    
    Still searching for the corner in a round room.
    · Share on FacebookShare on Twitter
  • Options
    iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    The absence of evidence in this case is not proof that no records were stolen. 

    How do you know they have the tools and properly configured them to detect the data exfil?  If they don't, then they can certainly say we don't have any evidence of a breach and still have it be a true statement.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
    · Share on FacebookShare on Twitter
Sign In or Register to comment.