top | item 6640873

(no title)

I know there is an auditing process whenever a breach occurs, so it somewhat makes sense. However, it really seems like companies intentionally announce a 'smaller' breach only followed up (99% of the time) with a 'massive' breach.

I would much prefer a initial 'massive' breach announcement (when possible), as that would breath a higher a level of transparency and honesty.

discuss

freehunter|12 years ago

As someone in the information security industry, it's a balance between getting the information quickly and getting the information completely. Especially in the case of a major organization who needs to communicate with customers. You're going to catch flak for not saying anything fast enough, and you're going to catch flak for saying something inaccurate.

In breeches I've been involved with, some companies would prefer to do the full investigation and then present the information to their customers (in accordance with the policy of whatever state they fall under the jurisdiction of). Others would rather let their customers know that there was a breech as soon as possible, while the investigation was ongoing (even if the information may change after the intial communication). It's really hard to say which is the "best" policy, but if it's CC data or PII, personally I would rather hear 2 million... no wait 36 million than not hear anything for days or week while my information is being disseminated.