[ Wednesday, January 30, 2019 ]
Discover noted something funny
Jeff [12:38 PM]
that indicated that some of its cardholders' information was out on the web, indicating that there had been a breach somewhere. Discover's notice doesn't contain much information (more on that in a bit), but does indicate that it wasn't their fault. However, they did replace cards for affected individuals and agreed that they wouldn't be responsible for fraudulent charges (both of which would be true regardless of whether the breach was Discover's or someone else.
Two things to note. First, many state data breach notification laws, but most importantly and particularly HIPAA, require covered entities to report breaches; the requirement isn't to report your own breach, but to report any breach you discover. That's the duty of data holders -- if you know someone's data is breached, let them know. Data breach reporting is not an admission of fault, and most data breaches don't result in fines or lawsuits. The point of breach notification is not (or at least shouldn't be) to tattle on yourself, it's to help out the public whose data is leaked and who might not know about it or how to protect themselves.
Secondly, it's not surprising that Discovery's notice didn't say too much, like what they found or how they found it. Why is that? Because you don't want to give up your data security secrets. If the black hats learn how you found out something, they might learn how to hide it better. Especially if you discovered it via some clever means.
Regardless, it's an interesting notice to get in the millions of data breach notifications.
Update: Jon Drummond is no relation (as far as I know), in case you thought so.
Blogger: HIPAA Blog - Edit your Template