• Corkyskog@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    5
    ·
    11 months ago

    Are these leaks even being reported by companies? Every article I have seen so far has just been compiling information off the new leaked data set someone picked up off the dark web or something.

    • Kiernian@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      They weren’t, which is why the SEC updated 17 CFR Parts 229, 232, 239, 240, and 249.

      https://www.sec.gov/files/rules/final/2023/33-11216.pdf

      As of December 18th of last year, publicly traded companies are now required to disclose breaches. (soz, material cybersecurity incidents).

      Prior to that, they could …basically… just effectively sweep everything under the rug “like it never happened” minus a little handwaving and paper shuffling and nobody would find out about it until the information got sold and went public.

      I’ll have to go looking but I would be SERIOUSLY surprised if the disclosures apply to credit card companies (the MOST breached, historically) because I’m not sure what exactly qualifies someone as an asset-backed issuer, but it’s at least a really good step for the REST of things.