- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
re: Is it time to penalize companies who suffer a data breach?
Posted on 5/8/26 at 10:56 am to forkedintheroad
Posted on 5/8/26 at 10:56 am to forkedintheroad
quote:
Does this only apply to e data?
Do companies get penalized for robberies? Arson? Blackmail?
Can we penalize them if anything bad happens to them? They can prevent everything, right?
I don’t remember the Capital One robber getting my SSN, bank account, CC#, and various other bits of personal information like they did with the ATT data breach.
0
Posted on 5/8/26 at 11:01 am to LSUFanHouston
quote:I worked for a large healthcare company who had a data breach, we followed all industry standards and requirements and we were also insured against data compromises and we followed all of the insurance requirements, so tell me why my company should be punished for site everything right and by the book
Is it time to penalize companies who suffer a data breach
Posted on 5/8/26 at 11:04 am to LSUFanHouston
Been time… for that matter all businesses need to start taking responsibility… including mechanics who are not responsible for anything in your car that’s stolen or if it’s stolen off their lot… tire shop nut responsible for lost or broke nuts etc..
Posted on 5/8/26 at 11:07 am to LSUFanHouston
I think it makes sense, but I imagine most of the Terms & Conditions none of us read (but we all agree to - "I'm not reading all that") may attempt to safeguard companies from this? I have no idea if true, or if legal, or if it would stand up in court.
Posted on 5/8/26 at 11:11 am to LSUFanHouston
quote:
Honestly, does this have an impact?
A data breach or ransomware event are two of the worst possible scenarios for any business. A tend to agree with some others who said if a business isn't taking cybersecurity seriously, they should get dinged. But I'd wager over 90% of serious businesses are at or close to cybersecurity best practices by now. The other 10% are very foolish.
Posted on 5/8/26 at 11:26 am to Sharlo
quote:
He basically said the same thing you did. That it was a perpetual game of cat-and-mouse, and the the really bad guys had state sponsorship, talent, and unlimited resources. If they decide they want to hit you, they can camp out and surveil your network and security for months before making a move.
I've seen it firsthand. I can't help but be impressed by the things these groups can do. They can setup camp in an infrastructure for weeks and setup their attack so that all they have to do when the time is right, is click a button. All the while remaining undetected.
Belarus, China and Russia are the major hotspots. Ransomware-as-a-Service is becoming a rather large industry. "Want to take out your biggest competitor? We can do it for a fee." And if the competitor has to pay up because they don't have a proper backup strategy? That money goes to the threat actors as well. Upon payment receipt, most of these groups will actually follow through with decryption assistance because otherwise, reputation gets out and nobody will pay them no matter how desperate they are to get their systems/data back.
Posted on 5/8/26 at 11:29 am to Naked Bootleg
here's an example of a note they will conspicuously leave where the company will find it:
quote:
Hi friends,
Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.
Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:
1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.
2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.
3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.
4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog.
5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.
If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:
1. Install TOR Browser to get access to our chat room.
2. Paste this link - (redacted)
3. Use this code - (redacted) - to log into our chat.
Keep in mind that the faster you will get in touch, the less damage we cause.
Posted on 5/8/26 at 11:39 am to LSUFanHouston
How would this possibly be enforced? Who determines what is a breach due to gross negligence vs a breach due to a zero day that cannot be stopped? How do you impose this on a small business that simply cannot afford the proper prevention tools in the first place?
This post was edited on 5/8/26 at 11:41 am
Posted on 5/8/26 at 11:42 am to Everyday Is Saturday
quote:
Skeptic in me thinks Data security industry loves them some fear!
i work in cybersecurity and we only like it when it's not our stuff getting hacked.
realistically, most times this happens people are ignoring alarm bells.
The Target hack had an Intrusion Prevention System going off for days that they just ignored.
one of my customers had a password compromised via VPN and got a call from their EDR and shut it down in 15 minutes because they actually paid attention.
Posted on 5/8/26 at 12:41 pm to LSUFanHouston
quote:
So should the US government work with companies so everyone is on same playing field?
There have been numerous government initiatives to help train, educate, certify federal contractors and large companies.
Most of those programs help with basic training and protocols. But nothing that would help prevent a sophisticated attack involving previously unknown malware.
Also, keep in mind that the best and brightest minds in these fields are not in the government. They’re at the upper echelon of the private sector.
Posted on 5/8/26 at 12:45 pm to jdd48
quote:
How do you impose this on a small business that simply cannot afford the proper prevention tools in the first place?
Nope.
This is a cost of doing business. If a small business can’t afford the proper tools, they need to find a line of business that does not require storing sensitive data.
Small business does not get an exception.
Posted on 5/8/26 at 12:47 pm to Sharlo
quote:
Also, keep in mind that the best and brightest minds in these fields are not in the government. They’re at the upper echelon of the private sector.
And these private sector guys are being outsmarted by fourth world people with backing from fourth world countries?
Posted on 5/8/26 at 12:54 pm to LSUFanHouston
quote:
Skeptic in me thinks Data security industry loves them some fear
Just treeze your credit and carry on. I dont do credit cards and my mortgage is my only debt.
Posted on 5/8/26 at 12:56 pm to Naked Bootleg
quote:
A data breach or ransomware event are two of the worst possible scenarios for any business. A tend to agree with some others who said if a business isn't taking cybersecurity seriously, they should get dinged. But I'd wager over 90% of serious businesses are at or close to cybersecurity best practices by now. The other 10% are very foolish.
They may very well be but the majority of day breaches aren’t brute force attacks/hacks.
It’s Paul down in accounting reusing the same password for his login that he uses for PornHub or he clicked on a link he shouldn’t have and the password was stolen/phished.
The “best practices” guidelines generally don’t help with this and it’s just a way for companies to point to a third party and say “well we’re doing everything they say we should.”
If your company is legitimately hacked and you’ve done everything recommended, fine. Chalk it up to the game. However if your data breach of 1.5mil people resulted from Paul scenario above, yes your company should be liable/fined.
Posted on 5/8/26 at 1:02 pm to Naked Bootleg
quote:
But I'd wager over 90% of serious businesses are at or close to cybersecurity best practices by now.
Given how corporations view cost centers… I think the percentage is a lot lower
Posted on 5/8/26 at 2:00 pm to LSUFanHouston
quote:
But I'd wager over 90% of serious businesses are at or close to cybersecurity best practices by now.
Given how corporations view cost centers… I think the percentage is a lot lower
again... i work in cybersecurity.... it's really really low.
In my customer base, maybe 20% use some form of MFA, unless they're forced to.
I do regluar best practice assessments on 100s of Palo Alto Firewalls and no less than 2x a year I find an any/any/any security rule to which i have to go "wtf is this? why even have a firewall guys?"
Posted on 5/8/26 at 2:31 pm to LSUFanHouston
In a perfect world, maybe; but, it isn't a perfect world.
Who would do the penalizing? Where would the financial penalties go? Do the penalties go up based on the simplicity of the cyber security deployed? Is there a time limit for remediation?
If you announce that XYZ Corp was penalized for only having the basic firewall and antivirus software, you're advertising to the world that they are sitting ducks for another hack because the security tools can't be upgraded overnight.
Who would do the penalizing? Where would the financial penalties go? Do the penalties go up based on the simplicity of the cyber security deployed? Is there a time limit for remediation?
If you announce that XYZ Corp was penalized for only having the basic firewall and antivirus software, you're advertising to the world that they are sitting ducks for another hack because the security tools can't be upgraded overnight.
Posted on 5/8/26 at 2:33 pm to LSUFanHouston
regulated industries do get penalized for data breaches
Posted on 5/8/26 at 2:42 pm to PJinAtl
quote:
If you announce that XYZ Corp was penalized for only having the basic firewall and antivirus software, you're advertising to the world that they are sitting ducks for another hack because the security tools can't be upgraded overnight.
Government agencies take long time to investigate, plenty of time to fix before penalty assessment
Posted on 5/8/26 at 2:43 pm to gmrkr5
quote:
regulated industries do get penalized for data breaches
That’s a good start
Page 2 of 3
Popular
Back to top
Follow TigerDroppings for LSU Football News