Introduction\n\nOne of the great things about modern times is that there is no shortage of organisations happy to state how seriously they take our privacy and security. The fact that this seems to be directly linked to more and more high-profile databreaches is however concerning to say the least. Everyday it seems that another hacker has popped the locks of another high-profile institution, so if you are worried about the safety of your data, well I don't blame you. It's getting to the point where some are just accepting that this is part and parcel of life, and that our data (no matter what we do) will end up in the hands of someone it shouldn't 😢. We shouldn't think like this, and more should be done to protect our data rather than uttering hollow words after it has been taken.\n\nOrganisations are clearly struggling with breaches and protecting our information at the moment. Nothing sets fire 🔥 more to all your pretty marketing, strong branding and carefully cultivated image than a good ol' fashioned databreach, where all of your big talk is undermined in front of the world. Obviously, no one likes to air their dirty laundry in public, even when it is 'the right thing' to do, and new laws like GDPR should compel then to do so. This leads many organisations to use clever little tricks to tell you about databreaches in ways that you could easily miss. In an age of Search Engine Optimisation (SEO), where companies spend large sums of money 💰💵💸 on making their site pages easily searchable, indexable and rank highly in search engine results, it is amazing how difficult it can be to find company-written confessions. If anything, you could easily be forgiven for thinking that many organisations don't want you to know about their breach 🕵️♂️!\n\nGuy covering his eyes so he can't see the databreach in front of him\n\nKnowledge is Power\n\nBefore going into the various tactics employed by organisations to simultaneously announce and hide their breach confessions, it is worth exploring why it is important that users are kept informed. When users sign up for a service provided by an organisation, an agreement is made where the data provided by the user will be responsibly looked after by the organisation who stores it. This data may include:\n\nPersonally Identifyable Information (PII) such as Name, Address, Email, Date of Birth, Telephone and Mobile Numbers etc.\n\nSensitive Information such as Passwords (which if reused can grant access to other accounts), Multi-Factor Secrets, National Insurance, Social Security, Passport (when you fly), Drivers License etc.\n\nFinancial Information such as Account Provider, Account Number, Sort Code, Long Card Number, Card Expiry Date, CVC\n\nAll of this data needs to be kept safe for varying reasons. If the PII was compromised, it could open people up to phishing attacks and potentially identity fraud which is never pleasant (to say the least). This is made even easier if the sensitive information gets stolen, and if the financial details are extracted, bad people from all over the world could potentially make fraudulent payments and steal your money. Lovely 😬🥺 (not really)!\n\nWhat is Phishing? How this Cyber Attack Works and How to Prevent It\n\nWhat is Phishing? Everything You Need to Know to Protect Yourself from Scam Emails and More\n\nIt then should go without saying that if ANY of this information is illegally taken, users need to be made aware so that they can ensure they can remain safe. By knowing, people can make the changes required, including email address changes, password updates, reorder payment cards, monitor accounts for suspicious activity etc. If users are never informed, or "told" in a hidden way meaning they miss the alert, then attackers have more time to inflict as much damage as they can. It's bad enough that the data was taken in the first place, but not enabling people to protect themselves in my opinion is way worse than the initial breach. Once the data has been released, there is no getting it back so victims need the information to take decisive, protective action.\n\nBroken lock which needs to be fixed\n\nI have actually written a lengthy post about companies taking the "privacy and security of our data seriously", showing how meaningless this phrase is and how databreaches affect victims. If you have a bit of time I would recommend that you give it a read 🤓.\n\nSimon Ramzi: The Privacy and Security of Our Data\n\nLittle Schemes 😈\n\nHopefully I've demonstrated just how important it is that users (and even potential customers) are made aware of security incidents so that they can protect themselves in the aftermath. With this in mind, how to organisations try and "inform" their clientele using the dark arts?\n\nMy favourite is the breach notice on their official page, which whilst potentially a really positive move 👍, it is let down by the complete lack of visible link to that page on their actual site 😆! It's there, you just can't get to it, and search engine crawlers will most likely not index the page, so you won't be able to search for it either (hence my prior reference to SEO). The link will likely be visible via any news report, so you'll need to be looking out specifically for it. It could even be included in a vague announcement on Twitter, which means you'll need to have a profile, follow the account and be REALLY engaged with the brand or be scrolling at just the right time. A lot of stars and/or moons need to align there!\n\nIf not linking to the page is bad enough, how about deliberately instructing search engines to not find and/or index the page? Like I've mentioned, SEO is a well-known, mature concept where making a page rank in results has been documented at length. Some organisations go the opposite route for their confessions however, in a blatant attempt to make them difficult to find. This includes:\n\nModifying their /robots.txt file to instruct search engines to specifically NOT crawl named breach confession pages. This means that users cannot search for the page using terms from within, but might be able to stumble across it on a wing our a prayer.\n\nModifying their inline page robots meta tag to to 'noindex' and thus tell search engines to not index the page. This would mean that the notice would NEVER come up in results.\n\nNice 🙄! So whilst the breach confession exists in all of its glory, you'll be really lucky if you ever found it even if you used a search engine and explicitly looked for it 🤣! Nothing to see here! NEVER HAPPENED!\n\nLooking at official press releases, many organisations opt for the "we will be informing affected persons by email" approach, which on many occasions has been code for "not publishing a public confession on our site or official communications channels". Whether or not they have actually sent these emails out cannot be easily verified due to the private, point-to-point nature of email, and this could only be determined if everyone affected confirmed they received an email. In a world where language like "some users" and "a small fraction of users" are commonplace, again this becomes difficult to check. We can really only rely on the good word of the organisation who despite "taking the privacy and security of data seriously", refuse to publish a public breach confession so that people can keep themselves safe. Also, with all the spam and sheer amount of emails that people receive now, it wouldn't surprise me if people overlooked such emails unless worded very specifically.\n\nUsing magic tricks to make breach confessions vanish into thin air\n\nAnother issue with the email approach to breach notices (as well as all the other magic tricks) is that it makes it very difficult for new users to find out about the breach (this couldn't be intentional at all). This could actually prove to be important information when choosing a service, so if it is hidden, are people being provided with everything they need to make an informed decision? Is it okay behaviour when organisations go out of their way to make these confessions (which do exist) magically vanish in before your very eyes? Really such emails should be published so that everyone can make an informed decision.\n\nFinally, those breach confessions published on the organisation website can go missing after a certain amount of time elapses, i.e. the company takes them down. There doesn't seem to be a set rule for how long a company needs to inform it's users, so nothing really stops them from stealthily removing them from the internet. I do find this one interesting, especially when the breach has been reported in the news, as the link remains in the article, it just unfortunately ends up pointing at a dead end. How long is long enough is up for debate, it's just a shame that again it's difficult for existing users (who may have missed the initial release) and new users to make an informed decision when such trickery is being used.\n\nA Way Forward\n\nIn my naivety, I thought that new data protection laws like GDPR in the UK would usher in a new age of fully-transparent breach reporting. Whilst it seems more companies are reporting now (due to HEAVY potential fines), we are no where near where we could be. I thought official, publicly searchable breach registers owned and managed by governing bodies like the UK's Information Commissioners Office (ICO) would be set up. These would provide details of every reported breach by every organisation, detail the size, scale, what was taken and a directory of who to contact in each case. We currently do have the searchable database HaveIBeenPwned as well as articles which aggregate attacks, but these are not run by governing bodies and are by no means an account of every breach officially reported. Rather, these resources are volunteered by people across the web.\n\nHaveIBeenPwned: Breached Websites\n\nInformation is Beautiful: World's Biggest Data Breaches & Hacks\n\nIT Governance: List of Data Breaches and Cyber Attacks in October 2019 – 421 Million Records Breached\n\nBusiness Insider: If You Bought Anything from these 19 Companies Recently, Your Data May Have Been Stolen\n\nIn the existence of company breach shenanigans and in the absence of official, searchable breach databases, I would recommend adding the following actions to your behaviour when deciding to use a service.\n\nCheck if the organisations in question have been breached by searching their names followed by \nkeywords words like "breached" and "hacked". News articles don't get taken down even when confessions do and they are HEAVILY SEO friendly 🤣.\n\nDon't just flat out reject an organisation that has been breached as some actually do grow from the experience. Look at their response (if still available) and make a judgement on whether or not they care.\n\nDo be wary of ANY organisation that uses a version of the phrase "we take privacy and security seriously" and uses cookie-cutter template language in response. If they can't be bothered to write a real message, they don't care about your and your data.\n\nDo be wary of ANY organisation that uses vague language when describing any incidents. If it looks like a company is trying to be economical with details that would help you stay safe, do you really believe they care?\n\nCute puppy taking the time to appreciate how our actions affect others\n\nDecent, informative breach notices exist and we should give credit where credit is due. They are unique, specific, express sympathy and provide you with the information you need to make the necessary decisions. Yes, it's infuriating that your data may have been taken in a databreach when it wasn't your fault, but trust me, when you read a lot of notices, you'll find these are the EXCEPTION, not the rule 🤦. Responses even at this level used to frustrate me, however because the VAST MAJORITY I've read just drop some copy-paste, cardboard cutout platitudes and little else, be very thankful when companies are THIS candid! Standards eh?! However, we need to be mindful that mistakes happen and these companies are opening up and taking responsibility for their actions.\n\nImperva Security Update\n\nTimehop Security Incident, July 4th, 2018\n\nAn Update From Elliot Luchansky, CEO Of INSYNQ\n\nSecurity is Constantly Evolving\n\nAs more and more of our lives are handled by the internet, we will be handing over more and more of our data to organisations. It is thus very important that they handle this information responsibly as it can be pretty dangerous in wrong hands. Unfortunately, with the increasing spotlight on databreaches, to save face it seems that some organisations are resorting to magic tricks to "do the right thing" whilst simultaneously hiding it from view. This is a shame as it makes it more difficult for users to keep themselves safe. To help our due diligence when researching service providers, it is advisable to find out if an organisation has been breached using specific keywords in search engines and use their response to inform your decision. Hopefully, or governing bodies will make this easier for us in the future.\n\nTake care and all the best. Si.