Notice of Data Breach
Joshua Peskay
3CPO (CIO, CISO, CPO) CISSP, CISM - Helping nonprofits leverage technology to do more, do better and be more secure. Also, I collaborate with a potato.
Jul 25, 2024
To: Joshua Peskay
From: Interwebs.inc
Notice of Data Breach
Dear Valued Data Subject,
We are writing to inform you of a recent data security incident that may have (definitely) exposed your personal information. Please know that we take the protection of your data as seriously as a heart attack (which, based on your Fitbit data that was part of the breach, you are in danger of having at any moment).
What Happened?
On July 3, 2019, an unknown third party subcontractor used a fake mustache and impressively realistic Chicago accent to impersonate a company employee and gain access to our business systems. This allowed them to obtain some of your data, which it turns out we had actually acquired from another third party who had themselves obtained it from a guy in New Jersey who listed “Bittorrent” as his customer database.
Why are we notifying you now??
We detected the incident within a few hours, but only after five years and nineteen days did our lawyers officially, legally, confirm that your data was part of the breach. We very much wish to comply with data breach notification laws in your state and therefore we are notifying you well within the 72 hour notification period following confirmation of a breach (with 6 minutes to spare).
See? We’re fully compliant! All of our auditors, whom we pay a lot of money to say so, say so.
What Information Was Involved?
We determined that certain data associated with your online identity may have been (e.g. definitely were) acquired by the unknown third party. We have confirmed that the data includes:
Thankfully, no Social Security numbers were involved. Unfortunately, we can’t say the same for the data showing you spent 1,567 hours watching TikToks of people eating kumquats.
领英推荐
WTF Are We Doing About It?
We regret that this incident occurred because it’s been a massive headache for our legal and comms teams. To alleviate any concerns, we have automatically (and very much against your best interests but giving us critical legal cover) enrolled you in identity monitoring services provided by MegaUltraMaxSafeSecureID.? MegaUltraMaxSafeSecureID’s team has extensive experience in dealing with the fallout of unintentional data exposure—mostly their own. They provide the latest in ITaaS (Identity Theft as a Service) technology and you can rest assured that your data is thoroughly and properly hosed now that they have their grubby little hands on it. Yahtzee!
About Your Information…
In the spirit of transparency, we feel obliged to inform you that long before we lost it, we had sold your data many times over to multiple data broker services who, in turn, sold it to other data broker services. These services were all subsequently breached (because let's be honest, who hasn't, amiright?), and for years your personal data has been tossed around like tater tots in a middle school food fight.
It's All Totally Legal
It turns out that you actually NEVER signed up for our services (I know, shocking, right?) and that we only had your data in the first place because the guy in New Jersey with Bittorrent for his CRM sold your information to the third party we bought it from (along with that of 4.2 million other people) back in 2019. This is all completely legal because WE did not know the information was obtained illegally before we bought it legally. Seriously, it's all on the up and up.
Then Why Are We Telling You?
You happen to live in a state with a privacy law that compels us to tell you this. Most of the other people don’t even know and we are thanking our lucky stars that none of those 4.2 million people were EU citizens. Can you imagine if we were subject to GDPR? What a f**#ing s**tstorm that would be!
Get Over It
We apologize for any inconvenience this may cause you and encourage you to get used to the idea that your personal data gets more exposure than Taylor Swift on a press tour because all of this is completely legal in the United States.
Thank you for your understanding and for continuing to trust us with your data. Let’s be honest, what other choice do you have??
Cheers!
Ivana Midatabak
Chief Privacy Officer
Interwebs, Inc.
Attention-getting photography for nonprofits, businesses, and media
1 个月Love it! And, sadly, so true.
In some ways, I think these data brokers WANT us to think our data is cheap because they still profit from it. Once we see the value of our data and want protections, now data brokers and companies have to protect our data or worse, DELETE our data to protect themselves from further fines because now the fines or infrastructure to prevent getting fined is more costly than selling the data.
Chief Data Officer, Co-founder at Thanx
4 个月Ivana Midatabak. Classic.
VP of Data Strategy at RoundTable Technology PMP, CIPP/US
4 个月Yes, this is a laugh/cry situation. I will hop on my Data Broker Legislation Soapbox for a moment: Data brokers are among the least regulated industries and they literally affect all of us. People would be outraged if they knew, but this happens through the digital fog we leave behind. More states and the Federal Government, should follow what happened in California with the passage of the Delete Act, which is a start to regulating this industry. This bill was pushed by a private citizen, Tom Kemp, who worked with a State Legislator - to get this through. I have been talking with our NY legislators... still working on it. We can make a difference.
Motive Consulting | Empowering NFPs and For-Purpose organisations to achieve more through data analytics, automation and collaboration.
4 个月Good reason to sign up to Have I Been Pwned https://haveibeenpwned.com/ - in most (all?) cases you'll be notified through here before the breached organisation gets advice from their legal team.