Data Breaches: How to Respond to a Tipoff of a ProblemTroy Hunt Says Transparent, Calm Communication Is Key
What should an enterprise do when someone reaches out and claims to have the company's data or information about a breach?
There's no rule book for a response, and such an encounter can often take a confrontational turn for the worse, says Troy Hunt, an Australian data breach expert and creator of the Have I Been Pwned data breach notification service.
"When an organization is standoffish, immediately each side starts putting up their defenses and is reticent to share information or is looking for assurance and guarantees and things that often hinder the process," Hunt says.
In this video interview, Hunt discusses:
- How to de-escalate situations where someone is threatening to release data;
- Why inserting a page called "security.txt" into a website is the best way to send a positive signal to security researchers.
- How the environment around reporting and responding to security vulnerabilities has somewhat improved.
Hunt created Have I Been Pwned, which notifies individuals when their email address turns up in breaches. He is a Microsoft regional director and MVP, Pluralsight author and internet security specialist. A frequent speaker at conferences around the world, he runs workshops focusing on secure authentication, best password practices and how to avoid data breaches.