I'm fascinated by the unwillingness of organisations to name the "third party" to which they've attributed a breach. The initial reporting on the Allianz Life incident from last month makes no mention whatsoever of Salesforce, nor does any other statement I can find from them. And that's very often the way with many other incidents too, which, IMHO, sucks. My view is that when our data is provided to a third party and that party exposes it, we have a very reasonable expectation to know who lost it. My own personal info was exposed in the Ticketek breach last year; can you find any mention whatsoever in that disclosure notice of Snowflake DB? Nope, but that's the "reputable, global third party supplier" they refer to. Another fun fact: the other third party they don't name is HIBP: "We are aware some customers have recently been contacted by a third party regarding the impact to their information". 🤷♂️
References
- Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
- Allianz Life was breached with 1.1 million unique email addresses affected (the unnamed third party is apparently Salesforce)
- The 16 million record PayPal "breach" always smelled bad (probably because it's not a PayPal breach!)