@masek @PogoWasRight @euroinfosec
I agree with @PogoWasRight on certain points that, in my view, are quite straightforward.
Let’s start from the premise that, in the vast majority of cases, the affected entities do not adequately protect their data - any kind of data. And here lies the strict liability of those who, on the contrary, should have ensured its security.
If a cybercriminal claims to be in possession of exfiltrated data, they generally also provide proof files and a file tree. Consequently, if the attacker’s claims are true, the affected entity is already aware of both the volume of the exfiltrated data and its nature.
Third point: a data breach always causes harm. Personally, I wouldn’t dwell too much on the damage suffered by the affected entity; I’m much more interested in the consequences that damage causes - or could cause - to “indirect victims” (students, school staff, patients…), that is, all those people who have entrusted their data and their trust to third parties such as schools, universities, hospitals, and other organizations. Of course, we can also assess the severity of the damage on a scale of 1 to 10, but the damage remains nonetheless, and when personal data is exposed, the perception of severity is always subjective.
The fact remains, however, that if a person entrusts sensitive data to a third party, that party has not only a legal obligation to protect it without any negligence but also a moral duty to prevent someone’s private life from being publicly exposed.
Finally, I find the behavior of numerous entities affected by cyberattacks involving data exfiltration and encryption to be very disappointing: they often inform the “indirect victims” only after many months and, in some cases, even years later.
