Weekly Update 466

I’m fascinated by the unwillingness of organisations to name the “third party” to which they’ve attributed a breach. The initial reporting on the Allianz Life incident from last month makes no mention whatsoever of Salesforce, nor does any other statement I can find from them. And that’s very often the way with many other incidents too, which, IMHO, sucks. My view is that when our data is provided to a third party and that party exposes it, we have a very reasonable expectation to know who lost it. My own personal info was exposed in the Ticketek breach last year; can you find any mention whatsoever in that disclosure notice of Snowflake DB? Nope, but that’s the “reputable, global third party supplier” they refer to. Another fun fact: the other third party they don’t name is HIBP: “We are aware some customers have recently been contacted by a third party regarding the impact to their information”. 🤷‍♂️

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. Allianz Life was breached with 1.1 million unique email addresses affected (the unnamed third party is apparently Salesforce)
3. The 16 million record PayPal “breach” always smelled bad (probably because it’s not a PayPal breach!)