On July 6, 2022, Entrust Corporation sent out letters to certain individuals confirming that an unauthorized party was able to gain access to the company’s computer system and remove certain files. However, to date, Entrust has not yet filed official notice of the breach and has not yet disclosed whether any consumer data was compromised as a result of the recent data security incident. Based on statements made in the letter to consumers, it appears as though the company’s investigation into the data security incident is ongoing.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Entrust data breach, please see our recent piece on the topic here.
More Information About the About the Entrust Breach
According to a letter dated July 6, 2022, that was sent to an unknown number of people, Entrust CEO Todd Wilkinson explained that, on June 18, 2022, the company discovered that an unauthorized party had gained access to the Entrust network. In response, Entrust contacted law enforcement, secured its systems, and enlisted the help of a third-party cybersecurity firm to investigate the incident. The company’s investigation is still ongoing; however, Mr. Wilkinson noted that the unauthorized party was able to access and remove certain files from the company’s network.
On July 6, 2022, Entrust sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. This notice was not made public, however, and the breach only came to light when someone found and posted a copy of the letter on Twitter.
Founded in 1969, Entrust Corporation is a software company based in Minneapolis, Minnesota. More specifically, Entrust develops and sells security software to some of the largest corporations in the world, including Microsoft, Visa, Mastercard, Square, VMWare, Polycom and ServiceNow. According to the company’s website, Entrust encrypts more than 24 million messages every day. Entrust employs more than 2,500 people and generates approximately $668 million in annual revenue.
Why Do Companies Take Their Time in Announcing a Data Breach?
The Entrust data breach was first discovered in June 2022; however, as we approach the end of July, the company has not yet filed an official notice of the breach. While Entrust sent letters to select consumers informing them that the company experienced a data security incident, these letters did not mention the type of data that may have been compromised as a result of the system breach. Does Entrust know if consumer data was leaked? If so, doesn’t the company increase the risks of identity theft and other fraud by waiting to provide notice of the incident?
Certainly, the answer to this question is “yes.” Hackers and other cybercriminals often attempt to use any information they steal as soon as possible—well before consumers can cancel their credit cards and alert potential lenders. Thus, by waiting to provide notice, a company gives hackers ample time to use the data for criminal purposes. However, there are some good reasons why companies do not announce a data breach immediately—there are also some not-so-good reasons.
As a preliminary matter, Entrust notes that the June 2022 data security incident is still under investigation. Thus, it is entirely possible—and even likely—that the company simply doesn’t know what, if any, data types were compromised due to the attack. However, barring that scenario, there are other reasons why companies may hold off on notifying individuals or state governments about a breach.
One possible explanation for a delayed breach report is that the company doesn’t realize it had been hacked until weeks or months after the incident. In these cases, there is little a business can do if it is unaware of a breach. Of course, those organizations with strong data security systems should be able to identify and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, that isn’t exactly a good excuse.
Another reason why a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some situations, law enforcement agencies ask victimized businesses to hold off on reporting a breach so as to not alert hackers that the breach has been detected and is under investigation. By not reporting the breach, it gives law enforcement time to conduct an investigation and, potentially, catch the criminals who orchestrated the attack.
Finally, another reason why a company may not immediately report a breach is that the company is in the process of reviewing the leaked data to see what data types were exposed and who was affected. Once a company learns of a data breach, it needs to review the compromised files, which can take time. However, there is nothing stopping a company from issuing a preliminary notice to all customers whose information may have been affected. While there is no indication who Entrust sent the aforementioned letters to, it appears that Entrust provided preliminary notice of the breach to at least some consumers.
The bottom line is that just because a company waits to file official notice of a data breach doesn’t mean the company is being negligent of the risks the breach poses to consumers. However, that is a distinct possibility.