From the title, it seemed that Verizon had published a postmortem of a recent data breach incident they had
It could be considered situational irony for a company reporting on industry data breaches to expect readers to disclose personal information as one would expect them to display sensitivity to unnecessary capture of precisely this kind of data.
Until then, it's a great way to squeeze crypto out of some company to make up for the fact that your country is under sanctions tied to the US Dollar, and since it's hard to prove to the bean counters that an attack will happen with reasonable certainty on a given system in the next quarter, good luck getting resources and priority for mitigations beyond the usual.
False.
Companies are now liable to report breaches to the SEC and steps taken to remediate.
As I've mentioned several times on HN before, heads do roll and C-Suite does care about security posture now that liability and insurance payouts are on the line.
The annoying thing is HNers will never see the actual successes (because these are obviously kept private) and only see a couple glaring failures.
Furthermore, this report is an advertisement for Verizon's MSSP division (Verizon Business), which companies pay to manage their security posture - all telcos have had an MSSP BU since the 1980s (ATT Global Business Services being the market leader)
You'll see a lot of BS like this for the next 2 months because RSA is in 2 weeks and AWS Re:Invent in a month. It's conference season (great time to stock up on free tshirts and drink Blanton's on the corporate tab)
I'm looking at UnitedHealth's stock price over the last year. The theft happened in February. There was a dip; it's already recovering from that.
The market doesn't particularly care about those disclosures, it would seem.
We used to hang thieves. We still had theft.
It does not include the vast majority of breaches that happen every year and are reported to federal and state regulatory bodies or as posted to cybercrime / ransomware sites.
One of the coolest things is that this process though flawed is transparent and semi-open to the public.
The dataset and the underlying process for which events are selected takes place in the open on GitHub.
Kudos to their commitment to open source.
T-Mobile (2021), AT&T (2024), Verizon (2024)
Page 11: "Hello, friends, and welcome to the “Results and analysis” section."
Page 15: "Hey, you, don’t skip this section this year! We know we keep repeating, “It’s always external criminals wanting your money” alongside dated pop culture references, but we have some interesting data points to discuss this year. Does this mean External actors are not the most prevalent? No, of course they are, silly. But since we got your attention, please read on."
Page 37: "In the cybersecurity world, or “the cyber biz,” as we call it, we certainly love our catchy terminology. Terms such as whaling, smishing, quishing, tishing, vishing, wishing, pharming, snowshoeing and plain old phishing are ever-present in the Social Engineering pattern. This makes sense because there are a lot of vectors on which we need to educate our employees and end users, and we’re positive that in another five years, there will be new ones that we will have to add to our list."
As someone who works in the "cyber biz", I don't think we really do like all of these supposedly catchy terms that are just more specific ways to describe the same thing. All it does is confuse end users with more jargon.
https://www.verizon.com/about/news/2024-data-breach-investig...
