As we see the news of attacks day after day and think “can it get any worse?”, the reality is that likely, it is much worse than we think.
Buried in the mass of data that was released by the Sony hackers were some emails from VP of legal compliance Courtney Schaberg telling some people inside the company, including chief counsel Leah Weil, that Sony had another hack, that credentials had been obtained by hackers, the accounts were now disabled, that the attackers uploaded malware and some data was compromised.
A follow up email describes the data that was taken along with an assessment that Brazil, where the attack took place, does not have a breach notification law although they have other privacy related laws.
The email, labelled Privileged and Confidential, goes on to say that she recommends against telling people that the data was compromised because the law doesn’t require it, that data taken wasn’t terribly sensitive and telling the people who’s data was hacked wouldn’t help them much in mitigating the damage.
Part of the logic in deciding whether to disclose or not was whether the media would out them. In this case, the Brazilian media had not mentioned Sony by name after a reporter contacted them, so maybe they could squeak by.
In the U.S. only certain kinds of breaches (such as credit card data and health care data, among a few others) REQUIRE disclosure and even then, many of the laws allow the businesses to decide what the risk of the compromise is to the victim in deciding whether to tell people that their data was hacked.
In the absence of a Federal law requiring all companies to fess up to breaches all the time, breaches will be under disclosed. After all, disclosing a breach that a company might be able to sweep under the rug will definitely cost the company more money and cause more problems, including lawsuits.
As a result, in addition to those breaches where the company doesn’t realize they have been hacked, there are likely many other breaches that go undisclosed following this very same logic that Sony used.
What percentage of the leaks are disclosed? No one knows. But probably way less than we think.
Information for this post came from Gawker.