Saturday Edition: The Necessity of Legislation for Greater Transparency in Breach Notices at Bluefield University
Good day, chums! Pull up a seat; you’re about to hear a right old cyber pickle, surrounding a situation that really does highlight why we need stronger and more transparent laws regarding data breaches.
So, grab a cuppa and buckle up. This is the tale of the Bluefield University Breach. On the 2nd of May, the news broke out about a cyberattack on good old Bluefield University, in Virginia. According to the local news, the university had picked up on a major cybersecurity issue just a day earlier and were already working to repair the damage.
However, the whole situation started going off the rails pretty fast! On May 7th, a group called Avos Locker began leaking data they’d nabbed from the breach and claimed to still have access to more. Not only that, but apparently, someone from the group started posting on the information security exchange, basically admitting that they were airing Bluefield’s dirty laundry because they weren’t getting paid.
Reports soon came through that Avos Locker was continuing to gain access to fresh data because Bluefield hadn’t warned its community to stop submitting personal information into the system. Now, that’s a right sticky situation, isn’t it?
Even when asked if they had notified the students, parents and staff whose sensitive information had been stolen, Bluefield didn’t reply. Not really cricket, eh?
By mid-May, Bluefield had managed to get most of its system back to some kind of functionality; but by then, data leaks had taken a wrong turn down the social media lane. Troubling, isn’t it?
Fast forward to the end of November, the pot really started boiling over. Despite knowing about the breach since May and having ample evidence of large-scale data theft, Bluefield didn’t let on till late November, leaving over 23,000 people in darkness about their data being stolen. Now that’s a breach of trust, isn’t it?
This brings me to my point- there is an absolute need for stronger, more transparent legislation about such breaches. We need laws that make it compulsory for entities to promptly and honestly disclose such issues, so people affected can act accordingly.
This legislation should have clear stipulations on when and how the entity first became aware of the incident, when they realized personal info had been accessed and stolen, and if the stolen data ended up on the internet.
But it’s not just about notifying the victims and authorities at once if personal data is leaked or dumped online. It’s about being honest and clear about the situation. Using sly phrases like “your data may have been accessed or acquired” when it clearly was, is just sour. If a company has no idea whether data was accessed or not, victims need to know, so they can prepare for the worst.
We also need stronger laws for the education sector, which often holds personal and identity information for decades but currently doesn’t face as strict regulations in case of data breaches.
So, that’s my two pence worth. We will be pushing for greater transparency and will keep following such issues. A stitch in time saves nine, as they say, and these stitch-ups can’t be swept under the rug any longer.
by Parker Bytes