Why Companies Keeping Breaches a Secret Could be a Good Thing

Philip Bates 03-09-2015

With the wealth of information online, we all worry about potential security breaches. But potentially, these breaches could be kept a secret in the USA.


It’s rare a month goes by without rumblings of data breaches. Just look at the Ashley Madison leak Hackers Out Ashley Madison Users, Speak Like Stephen Hawking... [Tech News Digest] Cheaters are outed on dark web, how to talk like Hawking, the U.S. keeps control of ICANN, invest in video games through Fig, watch Netflix from afar, and take selfies with zombies. Read More , which saw account details of cheating spouses dumped online. It’s a big deal, and has serious consequences Ashley Madison: What Happens Now We Know You're A Cheater The Ashley Madison dating site was recently hacked by hackers who threatened to leak the entire database unless the site closed. This week, the database has been leaked. Are your indiscretions about to become public? Read More . Users of AdultFriend Finder had similar headaches Dating Site Hack: Adult FriendFinder Hack Leaves Users Worried Users of online dating site Adult FriendFinder – and the various alternative sites in its network – have been left with concerns after it emerged that the database of almost 4 million records has been... Read More in May. Even eBay was compromised The eBay Data Breach: What You Need To Know Read More last year.

Keeping any sort of leak a secret sounds mad. But is it?

It would be in the interests of the companies involved, of course, but there could also be a positive knock-on effect for customers too. No, really. It’s not all roses, but it might not be quite as terrible as it sounds either.

When Companies Stay Silent


Proposed legislation could allow companies to, in some circumstances, remain tight-lipped when hackers access their systems – but only if they believe there is “no reasonable chance” such a breach could seriously affect customers. Typically, any company victim to hackers would need to send details to the Federal Trade Commission (FTC). It would make current state disclosure laws, most of which push companies to announce leaks, moot.


Basically, if nothing sensitive or potentially damaging is stolen, businesses don’t need to notify you when they’re hacked.

Hacked businesses would need to evaluate if the data extracted is anything customers should worry about, ie. could lead to identity theft or banking information. Normal procedures would then have to follow. Notifications would have to be sent if:

“a security breach involves: (1) the personal information of more than 10,000 individuals, (2) a database containing the personal information of more than 1 million individuals, (3) federal government databases, or (4) the personal information of federal employees or contractors known to be involved in national security or law enforcement.”

Gerald Ferguson, a privacy attorney at Baker & Hostetler LLP who advises companies when leaks occur, told the Wall Street Journal:

“[The bill] would lead to less notifications… It would permit companies to do a second analysis of whether there is a reasonable risk of financial harm. When you are starting to do a risk of harm analysis there’s is a lot of discretion.”

The Data Security and Breach Notification Act of 2015 was read twice and referred to the Committee on Commerce, Science, and Transportation in January.


Why This is Great for Businesses

This is all about what, ironically, Ashley Madison offered Ashley Madison Leak No Big Deal? Think Again Discreet online dating site Ashley Madison (targeted primarily at cheating spouses) has been hacked. However this is a far more serious issue than has been portrayed in the press, with considerable implications for user safety. Read More : discretion.

Reputation is key. That’s why, for instance, Carphone Warehouse remained coy on their recent breach, which may have affected 2.4 million people in the UK, for as long as possible. Nobody wants to use a company they think is vulnerable to attack. Oracle shot itself in the foot by begging customers not to reverse engineer their code Oracle Wants You To Stop Sending Them Bugs - Here's Why That's Crazy Oracle is in hot water over a misguided blog post by security chief, Mary Davidson. This demonstration of how Oracle's security philosophy departs from the mainstream wasn't received well in the security community... Read More to find security problems. It’s the same as admitting you’ve got lots of issues concerning security, or throwing up a huge sign reading, “You can’t trust us with your personal information!”

Good shout, Oracle.

Reputation means a lot. It means money. A 2014 study revealed that businesses spent an average of $145 for each record leaked in a data breach, but when popular retailer, Target announced that 40 million customers’ credit cards had been compromised Target Confirms Up To 40 Million US Customers Credit Cards Potentially Hacked Target has just confirmed that a hack could have compromised the credit card information for up to 40 million customers that have shopped in its US stores between November 27th and December 15th of 2013. Read More in 2013, victims could claim up to $10,000 in damages (though it was considerably less on the whole). That was $10 million in total Target Pays for Data Breach, PlayStation Vue Challenges Cable [Tech News Digest] Target targets compensation, viewing PlayStation Vue, silencing Facebook, playing Chromecast tennis, using Netflix God Mode, and flying a speeder bike drone. Read More .


Target Stock

It doesn’t seem to have massively damaged stock in the Target Corporation, though prices did dip following the breach. It might’ve actually helped that they disclosed information before they were legally required to.

Nonetheless, it was risky. Douglas Meal, attorney at the Securities and Exchange Commission last March, said:

“[I]f you never disclose the breach at all then you don’t have the class action suits… It’s the disclosure of the breach that creates the firestorm of litigation… Companies think they are doing the right thing by disclosing but instead end up being viewed as the problem.”

Why It Could Be Good for Customers…

The spin? Too many notifications mean panicking customers with unnecessary worry. This is undoubtedly a good move for businesses subject to hackers, but it might be a good move for you too.


A big problem right now with disclosure in the USA is state division laws. Complying with different regulations across states slows down the process of actually letting people know what’s happened. Instead of jumping through separate hoops, companies would only need to comply with the FTC ruling.

Criteria are often concerning; just how does an attorney determine what data could affect customers? Fortunately, these are clearly laid out in The Data Security and Breach Notification Act of 2015 draft. Admittedly, they underline the importance of protecting data concerning national security, but the first and second clauses cover any major leaks.


Notifications should be swift as well: if your personal financial information has been compromised, you should (in theory, at least) be told as soon as possible. That’ll mean more time to do something about it! The faster you act, the less it should impact you. Let’s use a UK business as an example of what not to do: Carphone Warehouse took three days to announce they’d been victim of a “sophisticated cyber-attack.” Up to 90,000 credit cards could be affected, though this data is encrypted, so the risk is reduced.

For anyone affected by this, Carphone Warehouse advised customers what to do, including making sure your bank monitors activity, and checking your credit rating. In addition to these measures, you should also change passwords on those specific accounts, as well as any you use the same password on (and learn how to create a secure one 13 Ways to Make Up Passwords That Are Secure and Memorable Want to know how to make up a secure password? These creative password ideas will help you create strong, memorable passwords. Read More ), and be wary of phone calls warning of fraudulent activity (especially as criminals can often keep the line open, so you call them back instead of your bank).

Go through a checklist of what to do if you’re a victim of credit card fraud What To Do If You’re A Victim Of Online Credit Card Fraud Read More , and keep in mind what banks will never ask you online Five Things Banks Will Never Ask You Online Ever received an email from your bank conerning suspicious account activity? Such messages are almost always scams, so here are a few things your bank will never request online – but fraudsters will. Read More or over the phone.

Notifications can cost money, too. Letting every customer know about every breach eats up resources. Yes, bypassing this would be better for companies, but it also means they can focus on closing potential holes in their security and investigating breaches. Companies have to be seen to be doing something about their security vulnerabilities, trying to reduce damage to their reputations. Carphone Warehouse apologized and blocked access to the sites, but so far they’re not offering money to any victims of fraudulent activity.

For Better or Worse?


It’s not law yet. I’m not saying it’s an ideal situation. Equally, it doesn’t have to be as bad as it sounds.

Customers do panic – and that’s an understandable reaction. Can you blame companies for wanting to reduce that worry… and damage to its reputation and finance!

On the other hand, if a business keeps these things secret, how can you ever trust them? Do you feel safe giving them your personal information? And do they warrant your confidence?

Image Credits: finger over lips by Dean Drobot via Shutterstock, Security – Dictionary by American Advisors Group; The Carphone Warehouse by morebyless; and Target by Mike Mozart.

Related topics: Hacking, Online Privacy.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    September 4, 2015 at 1:49 pm

    This is an extremely anti-consumer proposed law. Announcing a breach encourages swift and thorough investigation, as well as ensuring the security holes are fixed quickly. If this legislation comes into effect, I can imagine potential hackers deliberately taking less than 10,000 records. The company realises there's been a breach, but they don't have to disclose. Of course they're going to fix the security hole, but what's the rush? The damage has been done, and the technical team is snowed under right now, they'll get to it eventually. Meanwhile, the hackers come back, take another handful of records, but it's a new breach and there wasn't 10,000 records stolen in this one either, still no rush to fix it...

    This might seem a little unrealistic, but it's only a matter of time. There's other issues too. Companies will certainly under-estimate the number of people that a breach effected, or the severity of the data effected. Even if none of that happens, there's still the fact that up to 10,000 people could be effected without any need to disclose. That's 10,000 people who might have used the same, weak, password in multiple places. 10,000 people who are at a wider risk than just from this one company. Those people need to be informed so that they can protect themselves from those risks, and the general public needs to be informed to encourage companies to have strong security to begin with.