On July 6, 2022, Entrust Corporation sent letters to several individuals confirming that an unauthorized party had gained access to the company’s computer system and removed certain files. However, to date, Entrust has not filed an official notice of the breach and has not disclosed whether any consumer data has been compromised as a result of the recent data security incident. Based on statements made in the letter to consumers, it appears that the company’s investigation into the data security incident is ongoing.
If you receive a data breach notification, it’s important that you understand what’s at stake and what you can do about it. To learn more about how to protect yourself from being a victim of fraud or identity theft and what your legal options are after the Entrust data breach, please see our recent piece on the topic here.
More Information About Breach of Trust
According to a letter dated July 6, 2022, sent to an unknown number of people, Entrust CEO Todd Wilkinson explained that, on June 18, 2022, the company discovered that an unauthorized party had gained access to Entrust network. In response, Entrust contacted law enforcement, secured its systems, and enlisted the help of a third-party cybersecurity firm to investigate the incident. The company’s investigation is still ongoing; however, Mr. Wilkinson said the unauthorized party was able to access and remove certain files from the company’s network.
On July 6, 2022, Entrust sent data breach letters to all individuals whose information was compromised as a result of the recent data security incident. This notice was not made public, however, and the breach only came to light when someone saw and posted a copy of the letter on Twitter.
Founded in 1969, Entrust Corporation is a software company based in Minneapolis, Minnesota. More specifically, Entrust develops and sells security software to some of the world’s largest corporations, including Microsoft, Visa, Mastercard, Square, VMWare, Polycom and ServiceNow. According to the company’s website, Entrust encrypts more than 24 million messages every day. Entrust employs more than 2,500 people and generates approximately $668 million in annual revenue.
Why Do Companies Take Their Time Announcing a Data Breach?
The Entrust data breach was first discovered in June 2022; however, as we approach the end of July, the company has yet to file an official breach notice. While Entrust sent letters to select consumers informing them that the company had experienced a data security incident, these letters did not mention the type of data that may have been compromised as a result of the system breach. Does Entrust know if consumer data has been leaked? If so, isn’t the company increasing the risks of identity theft and other fraud by waiting to give notice of the incident?
Certainly, the answer to this question is “yes.” Hackers and other cybercriminals often try to use whatever information they steal as soon as possible—before consumers can cancel their credit cards and alert potential lenders. So, by waiting to give notice, a company gives enough time to hackers to use the data for criminal purposes. However, there are some good reasons why companies don’t immediately announce a data breach—and some bad ones.
As a preliminary matter, Entrust notes that the June 2022 data security incident is still under investigation. So, it’s entirely possible—and even likely—that the company simply doesn’t know what, if any, types of data were compromised due to the attack. However, other than that situation, there are other reasons why companies may stop notifying individuals or state governments about a breach.
One possible explanation for a delayed breach report is that the company did not realize it had been hacked until weeks or months after the incident. In these cases, there is little the business can do if it is not aware of a breach. Of course, those organizations with strong data security systems should be able to detect and contain a breach quickly. So, while companies can’t report a breach they don’t know about, that’s not exactly a good reason.
Another reason a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some cases, law enforcement agencies require business victims to stop reporting a breach so as not to alert hackers that the breach has been identified and is under investigation. By not reporting the breach, it gives law enforcement time to conduct an investigation and, potentially, catch the criminals who orchestrated the attack.
Finally, another reason why a company may not report a breach immediately is that the company is in the process of analyzing the leaked data to see what types of data were exposed and who was affected. When a company learns of a data breach, it has to analyze the compromised files, which can take time. However, nothing prevents a company from issuing prior notice to all customers whose information may have been affected. Although there is no indication to whom Entrust sent the aforementioned letters, it appears that Entrust provided advance notice of the breach to at least some consumers.
The bottom line is that just because a company waits to file official notice of a data breach does not mean the company is ignoring the risks posed by the breach to consumers. However, that is a distinct possibility.