Saturday , March 29 2025

Majority of US IT Pros Told to Keep Quiet About Data Breaches

While an increasingly number of regulations have made the reporting of data breaches mandatory, a majority of IT professionals in the United States say they have been told to keep quiet about an incident, potentially running afoul of legal requirements.

In a survey released last week, 42% of the more than 400 IT and security professionals surveyed — and 71% of those in the United States — maintain that they have been instructed to keep a data breach confidential when they knew the incident should be reported. Three in 10 of those surveyed have acquiesced and not reported the breach, according to the “2023 Cybersecurity Assessment Report,” published by cybersecurity firm Bitdefender.

FBI investigating cyberattack at Oracle, Bloomberg News reports

The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new tab that has led to...
Read More
FBI investigating cyberattack at Oracle, Bloomberg News reports

OpenAI Offering $100K Bounties for Critical Vulns

OpenAI has increased its maximum bug bounty payout to $100,000, up from $20,000, to encourage the discovery of critical vulnerabilities...
Read More
OpenAI Offering $100K Bounties for Critical Vulns

Splunk Alert User RCE and Data Leak Vulns

Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These issues could lead...
Read More
Splunk Alert User RCE and Data Leak Vulns

CIRT alert Situational Awareness for Eid Holidays

As the Eid holidays near, cybercriminals may try to take advantage of weakened security during this time. The CTI unit...
Read More
CIRT alert Situational Awareness for Eid Holidays

Cyberattack on Malaysian airports: PM rejected $10 million ransom

Operations at Kuala Lumpur International Airport (KLIA) were unaffected by a cyber attack in which hackers demanded US$10 million (S$13.4...
Read More
Cyberattack on Malaysian airports: PM rejected $10 million ransom

Micropatches released for Windows zero-day leaking NTLM hashes

Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving...
Read More
Micropatches released for Windows zero-day leaking NTLM hashes

VMware Patches Authentication Bypass Flaw in Windows Tool

On Tuesday, VMware issued an urgent fix for a security flaw in its VMware Tools for Windows. CVE-2025-22230 allows a...
Read More
VMware Patches Authentication Bypass Flaw in Windows Tool

IngressNightmare
Over 40% of cloud environments are vulnerable to RCE

Kubernetes users of the Ingress NGINX Controller are advised to fix four newly found remote code execution ( RCE) vulnerabilities,...
Read More
IngressNightmare  Over 40% of cloud environments are vulnerable to RCE

(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass

Next.js, a widely used React framework for building full-stack web applications, has fixed a serious security vulnerability. Used by many...
Read More
(CVE-2025-29927)  Urgently Patch Your Next.js for Authorization Bypass

Oracle refutes breach after hacker claims 6 million data theft

A hacker known as “rose87168” claims to have stolen six million records from Oracle Cloud servers. The stolen data includes...
Read More
Oracle refutes breach after hacker claims 6 million data theft

The pressure to keep silent on a potential breach of data not only puts companies at risk of fines and penalties but could place workers at risk as well. In reality, the decision to disclose a breach or not should rest with the executive teams, says Martin Zugec, technical solutions director at Bitdefender.

“If I’m an IT administrator, and maybe security is not even my full-time job, it’s really hard for me to say if we do have the requirement to disclose or not,” he says. “So the responsibility for security should start with executives, with the leadership of the company, and they should be involved in the decision to disclose.”

The impetus to not report a breach is certainly not new. In 2018, for example, a similar survey found that 84% of cybersecurity professionals expected timely notification of a breach, but only 37% of the same group put an emphasis on the expeditious notification of a breach to their customers. In perhaps the most notorious example, a jury found Joe Sullivan, the former CSO of Uber, guilty of obstruction of justice and a related charge last year for his cover-up of a data breach in 2016.

Regulatory Chaos Leads to Problems in United States

While an increasing number of regulations require that companies disclose, those regulations are unfortunately not consistent. That’s especially true in the United States, where a large company will find itself having to comply with 50 jurisdictions, federal regulations, and industry-specific regulations, says Bryan Cunningham, former deputy legal adviser to Condoleezza Rice when she was national security adviser, and now an adviser with Theon Technology. To boot, many companies have customers in Europe, which places them under requirements of the GDPR.

“There are sometimes instances of data handling where it’s literally impossible to comply with the European Union laws and US laws at the same time,” he says. “So the internal people at these companies are torn in a bunch of different directions.”

The European Union’s integrated approach to data security creates a consistent blanket of requirements compared with the United States and its hodgepodge of state, federal, and industry regulations regarding privacy and data protection — which perhaps leads to better disclosure stats.

Three-quarters of respondents in the US (75%) experienced a data breach in the last 12 months, while 51% of respondents in the United Kingdom, 49% in Germany, and even fewer in Italy, Spain, and France experienced a data breach. Yet, compared with the 71% of respondents in the United States who were instructed to keep a breach quiet, just 44% of respondents in the United Kingdom said the same, 37% in Italy, and less than 35% in Germany, Spain, and France, according to the “2023 Cybersecurity Assessment Report.”

“We need to make it much clearer who’s supposed to do what and when, which is why I believe that initiatives like the GDPR are making us, as a whole society, much safer,” Zugec says. “The model of individual responsibility that we have it set up today [in the US], we are running into its limits.”

Penalties Depend on Jurisdiction, Details

The penalty for failing to report a data breach varies widely by the jurisdiction and the specifics of the case, says Kevin Tunison, data protection officer for Egress, an email security provider. In the case of Uber’s security chief, Sullivan, the company paid hackers $100,000 through a bug bounty program to keep quiet about the breach, and the CEO approved of the action.

“There must be disagreement in a healthy culture to debate whether an incident is reportable — if everyone agreed, there would be no need for data protection legislation,” Tunison says. “Lastly and most importantly, human error is no longer an excuse a business can fall back on. It is the responsibility of every organization to take reasonable and cost-effective steps to avoid the avoidable.”

In the US, the criminal code, Title 18, has a variety of potential charges that could be leveled against a person who hindered a data breach investigation, including by not reporting the original incident as required. In the EU, of the 27 countries signed onto the GDPR, 10 have prison terms as a potential penalty for criminal liability.

“Depending on the jurisdiction(s) the company operates in, the risks can be as significant as life in prison,” Tunison says.

The good news is that companies appear to be changing directions, especially in the wake of the Sullivan case. While small and midsize enterprises may not have received the memo because they typically are not the target of enforcement actions and lawsuits, the largest firms around the world are starting to work with governments and asking for more homogenous regulations, says Theon Technologies’ Cunningham.

“I think there is a pretty significant cultural shift among certainly publicly traded companies and regularly regulated companies, that the days of being able to bury this stuff are over,” he says. “Even the wisdom of doing that has been completely reevaluated.”

Check Also

March 2025

Qualcomm’s March 2025 Security Bulletin Highlights Major Vulns

Qualcomm’s March 2025 Security Bulletin addresses vulnerabilities in its products, including automotive systems, mobile chipsets, …

Leave a Reply

Your email address will not be published. Required fields are marked *