I work in a related field (cyber insurance response) - typically takes a few months to identify exfiltrated data and then analyse it to understand what is in it. This might seem simple but there are usually in the region of hundreds of thousands to millions of files, and that may contain spreadsheets with tens of thousands of rows. This all has to be analysed, filtered and reduced to the point you have a list of PII which has been impacted, and can decide on what to do.Credit monitoring is usually offered as standard when a breach occurs, the UK is much less litigation friendly than the US so in the absence of any actual harm, that would discharge most of their obligations to protect you following an incident.
ooterness|2 years ago