The Post Millennial breach in this week's video is an interesting one, most notably because of the presence of the mailing lists. Now, as I've said in every piece of communication I've put out on this incident, the lists are what whoever defaced the site said TPM had and they certainly posted that data in the defacement message, but we're yet to hear a statement from the company itself. Taking it at face value, where does their responsibility lie as it relates to individuals in this data set? I mean, let's say you signed a petition aligned to your political ideals many years ago and agreed to the terms and conditions (which you didn't read, because you're a normal human) then your data pops up somewhere like TPM. Is it their responsibility to let you know? Or the service that sold your data to them? Or... something else? It's messy, real messy, and the only thing I'm confident in saying is that the most likely thing to happen is the same as every other time we see this pattern: nothing.
References
- Sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.
- LockBitSupp got seriously pwned by the NCA and friends (crimes include running an international ransomware syndicate and wearing AirPods in a weird way)
- Dell got themselves breached and data is being sold online (that link is to a story I saw after recording this video that says there was an enumerable API accessible from their partner portal)
- Tappware had a breach that leaked a whole bunch of national ID card pics (also, have we ever seen a national CERT post a screen cap with the PII of breach victims before? 🤔)
- The Post Millennial got very breached (site defacement, editor PII, subscriber PII and a large trove of mailing list data)