In cybersecurity, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organizations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches.
LastPass has refused to answer any of TechCrunch+’s questions since it confirmed in December that hackers had exfiltrated customers’ encrypted password vaults a month earlier. Fortra is not only declining to answer our questions but also concealed details of a recent security breach — potentially affecting upwards of 130 of its corporate customers — behind a paywall on its website.
TechCrunch+ has learned that LastPass has already lost customers because of its silent-treatment approach to its breach. And Fortra is likely to face a similar fate after TechCrunch+ heard from multiple customers that they only learned that their data had been stolen after receiving a ransom demand; Fortra had assured them that the data was safe.
Smaller companies, too, are employing a silent-treatment approach to data breaches: Kids’ tech coding camp iD Tech failed to acknowledge a January breach that saw hackers access the personal data of close to 1 million users, including names, dates of birth, passwords stored in plaintext, and about 415,000 unique email addresses. Concerned parents told us at the time that they only became aware of the breach after receiving a notification from a third-party data breach notification service.
Cyberattacks are now a fact of doing business: Almost half of U.S. organizations suffered a cyberattack in 2022, and attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies. This means that your startup is likely to get compromised at some point.
Transparency is key
While getting hacked can be forgivable, an organization’s victim status will not last long if it fails to respond appropriately or at all — as demonstrated by LastPass and Fortra.