Featured Article

Silence gets you nowhere in a data breach

Your victim status won’t last long if your response is nonexistent

Comment

White megaphones pattern with black ornament on purple background. Shout, message, announcement and news concept.
Image Credits: DBenitostock (opens in a new window) / Getty Images

In cybersecurity, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organizations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches.

LastPass has refused to answer any of TechCrunch+’s questions since it confirmed in December that hackers had exfiltrated customers’ encrypted password vaults a month earlier. Fortra is not only declining to answer our questions but also concealed details of a recent security breach — potentially affecting upwards of 130 of its corporate customers — behind a paywall on its website.

TechCrunch+ has learned that LastPass has already lost customers because of its silent-treatment approach to its breach. And Fortra is likely to face a similar fate after TechCrunch+ heard from multiple customers that they only learned that their data had been stolen after receiving a ransom demand; Fortra had assured them that the data was safe.

Smaller companies, too, are employing a silent-treatment approach to data breaches: Kids’ tech coding camp iD Tech failed to acknowledge a January breach that saw hackers access the personal data of close to 1 million users, including names, dates of birth, passwords stored in plaintext, and about 415,000 unique email addresses. Concerned parents told us at the time that they only became aware of the breach after receiving a notification from a third-party data breach notification service.

Cyberattacks are now a fact of doing business: Almost half of U.S. organizations suffered a cyberattack in 2022, and attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies. This means that your startup is likely to get compromised at some point.

Transparency is key

While getting hacked can be forgivable, an organization’s victim status will not last long if it fails to respond appropriately or at all — as demonstrated by LastPass and Fortra.

“Breaches themselves are less of a concern than how an organization responds to, recovers from, and communicates about a breach,” Katie Moussouris, founder and CEO of Luta Security, told TechCrunch+. “From startups to larger organizations experiencing a breach, the move that inspires trust is the one that is transparent about what happened and how they intend to improve.”

Transparency and trust go hand-in-hand, and trust is one of the most important aspects of a successful business. In order to keep your customers on-side, it’s essential to be as open as possible about a data breach. If you don’t — and news of the breach comes to light — you’re going to erode trust with your customers.

There’s no need to try and spin the situation or to attempt to downplay the severity of the incident; just share what you know, what you don’t know, and what you are doing about it.

To do so confidently, it’s also vital that you make sure you have the right technology in place to discover the breach and contain it quickly. If your startup is able to see risks and isolate quickly, then it will be more confident in its communication.

“In one case, I had a multi-billion-dollar health care organization, and they have no idea how something progressed through its network,” Jake Williams, former NSA hacker and incident responder, told TechCrunch+. “At the same time, they’ve got a couple of hundred customers they should be notifying.”

And so is being quick

Urgency is paramount. Failing to confirm a data breach promptly risks diminishing customer confidence and reputational harm that may be challenging to restore. This is particularly true if customer action is required: Users may need to respond on their end, such as by changing passwords or monitoring for any suspicious activity. By revealing data breaches quickly, you’re giving your clients the best chance to protect themselves from further acts of fraud.

“You’ve got the folks that don’t disclose or particularly disclose to meet some minimum legal requirement but don’t provide enough detail for an organization to evaluate the risk,” Williams said. “These downstream organizations end up spending a lot of time and money investigating their exposure.”

Being slow to respond to a data breach also runs the risk of regulatory action. While there is no federal data breach notification law in the United States, most states have data breach reporting laws for consumer information, which means your organization could face legal consequences and regulatory fines. In some cases, a failure to disclose a data breach in a timely way may well fall under the radar of the Federal Trade Commission or U.S. Securities and Exchange Commission, which can bring additional actions.

Take the 2016 Uber data breach: Uber paid hackers $100,000 to delete the data and stay quiet about the incident instead of disclosing the breach. Uber finally disclosed the breach in November 2017, but its delay in doing so led to lots of repercussions, including fines, sanctioned security protocols and criminal charges against its then-cybersecurity chief.

Human after all

Not only is your startup likely to be breached, but it’s likely to be breached as a result of human error.

According to a study by IBM, 95% of cybersecurity breaches result from human error, be it a coding mistake or clicking on a link in a particularly convincing phishing email.

Just as falling for these attacks is a very-human-thing, responding to them should be too: Be transparent, be helpful and compassionate, and please don’t ignore our emails.

It’s all in the (lack of) details: 2022’s badly handled data breaches

More TechCrunch

The official launch comes almost a year after YouTube began experimenting with AI-generated quizzes on its mobile app. 

Google is bringing AI-generated quizzes to academic videos on YouTube

Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company.  Earlier this week, TechCrunch reported…

Motional cut about 550 employees, around 40%, in recent restructuring, sources say

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: Watch all of the AI, Android reveals

It ran 110 minutes, but Google managed to reference AI a whopping 121 times during Google I/O 2024 (by its own count). CEO Sundar Pichai referenced the figure to wrap…

Google mentioned ‘AI’ 120+ times during its I/O keynote

Here are quick hits of the biggest news from the keynote as they are announced.

Google I/O 2024: Here’s everything Google just announced

Google Play has a new discovery feature for apps, new ways to acquire users, updates to Play Points, and other enhancements to developer-facing tools.

Google Play preps a new full-screen app discovery feature and adds more developer tools

Soon, Android users will be able to drag and drop AI-generated images directly into their Gmail, Google Messages and other apps.

Gemini on Android becomes more capable and works with Gmail, Messages, YouTube and more

Veo can capture different visual and cinematic styles, including shots of landscapes and timelapses, and make edits and adjustments to already-generated footage.

Google gets serious about AI-generated video at Google I/O 2024

In addition to the body of the emails themselves, the feature will also be able to analyze attachments, like PDFs.

Gemini comes to Gmail to summarize, draft emails, and more

The summaries are created based on Gemini’s analysis of insights from Google Maps’ community of more than 300 million contributors.

Google is bringing Gemini capabilities to Google Maps Platform

Google says that over 100,000 developers already tried the service.

Project IDX, Google’s next-gen IDE, is now in open beta

The system effectively listens for “conversation patterns commonly associated with scams” in-real time. 

Google will use Gemini to detect scams during calls

The standard Gemma models were only available in 2 billion and 7 billion parameter versions, making this quite a step up.

Google announces Gemma 2, a 27B-parameter version of its open model, launching in June

This is a great example of a company using generative AI to open its software to more users.

Google TalkBack will use Gemini to describe images for blind people

Firebase Genkit is an open source framework that enables developers to quickly build AI into new and existing applications.

Google launches Firebase Genkit, a new open source framework for building AI-powered apps

This will enable developers to use the on-device model to power their own AI features.

Google is building its Gemini Nano AI model into Chrome on the desktop

Google’s Circle to Search feature will now be able to solve more complex problems across psychics and math word problems. 

Circle to Search is now a better homework helper

People can now search using a video they upload combined with a text query to get an AI overview of the answers they need.

Google experiments with using video to search, thanks to Gemini AI

A search results page based on generative AI as its ranking mechanism will have wide-reaching consequences for online publishers.

Google will soon start using GenAI to organize some search results pages

Google has built a custom Gemini model for search to combine real-time information, Google’s ranking, long context and multimodal features.

Google is adding more AI to its search results

At its Google I/O developer conference, Google on Tuesday announced the next generation of its Tensor Processing Units (TPU) AI chips.

Google’s next-gen TPUs promise a 4.7x performance boost

Google is upgrading Gemini, its AI-powered chatbot, with features aimed at making the experience more ambient and contextually useful.

Google reveals plans for upgrading AI in the real world through Gemini Live at Google I/O 2024

Veo can generate few-seconds-long 1080p video clips given a text prompt.

Google’s image-generating AI gets an upgrade

At Google I/O, Google announced upgrades to Gemini 1.5 Pro, including a bigger context window. .

Google’s generative AI can now analyze hours of video

The AI upgrade will make finding the right content more intuitive and less of a manual search process.

Google Photos introduces an AI search feature, Ask Photos

Apple released new data about anti-fraud measures related to its operation of the iOS App Store on Tuesday morning, trumpeting a claim that it stopped over $7 billion in “potentially…

Apple touts stopping $1.8B in App Store fraud last year in latest pitch to developers

Online travel agency Expedia is testing an AI assistant that bolsters features like search, itinerary building, trip planning, and real-time travel updates.

Expedia starts testing AI-powered features for search and travel planning

Welcome to TechCrunch Fintech! This week, we look at the drama around TabaPay deciding to not buy Synapse’s assets, as well as stocks dropping for a couple of fintechs, Monzo raising…

Inside TabaPay’s drama-filled decision to abandon its plans to buy Synapse’s assets

The person who claimed to have stolen the physical addresses of 49 million Dell customers appears to have taken more data from a different Dell portal, TechCrunch has learned. The…

Threat actor scraped Dell support tickets, including customer phone numbers

If you write the words “cis” or “cisgender” on X, you might be served this full-screen message: “This post contains language that may be considered a slur by X and…

On Elon’s whim, X now treats ‘cisgender’ as a slur