EXECUTIVE SUMMARY:
As news first emerged yesterday about Dell’s data breach, the drama was remarkably low, and it seemed to be a good example of a swift cybercrime shutdown. But as more hours have passed, the Dell incident has invited closer examination and some skepticism.
Forbes reports, “While claiming that there is ‘no conclusive evidence’ that any of the information being targeted by the attacker was actually extracted, Dell does admit that it is possible some may have been successfully exfiltrated.” Accordingly, Forbes asserts that this admission suggests that Dell “doesn’t have a complete handle on the events that took place on November 9th.”
TechTarget seems to agree, inferring that just because Dell’s claim that there was no evidence that attackers were successful, does not mean it’s case closed. “The absence of evidence,” writes TechTarget, “doesn’t mean the attackers were unsuccessful. We don’t have any idea how long Dell thinks the intrusion lasted – only that it detected the unauthorized activity on Nov. 9. But we do know that the threat actor or actors attempted to extract customer data, and that it was limited to just names, email addresses and hashed passwords.”
According to SCMedia, several industry experts expressed dismay that Dell moved quickly to reset passwords, without explaining why to the victims. Others were perturbed by a sense that Dell had minimized the potential seriousness of the breach by saying the information targeted was limited to just names, email addresses, and contact information–implying that that type of information is not quite so sensitive.
“Certainly similar breaches have historically suggested that threat actors with hashed passwords and email addresses are perfectly capable of discovering at least some usable passwords from this data. The risk is greatest for those who re-use their passwords across sites and services,” Forbes writes, noting that to be a common habit practiced by many online.
As has been the case in recent months, organizations are still trying to find the right timing to disclose incidents. As Wired noted last month, no one can seem to get it right. What seems to play out is that under pressure to comply with regulations like GDPR and other laws, organizations rush to disclose with inaccurate information. Then, updates follow, which often skew toward worse news.
It reminds me of something I’ve heard a million times over the years: It’s a process. But we can still hope for–and work toward–clear, truthful information as it unfolds, without saying, “Keep moving, nothing to see here.”
Get the full story at Forbes.
