Why Do Data Breached Companies Think Shutting Reporters up Helps?

The Evolve Bank & Trust breach is getting uglier by the day. In fairness, it didn’t start out very pretty. A ransomware gang claimed they hacked the Federal Reserve and wanted millions in ransom. It turns out that they attacked Evolve and did, in fact, steal a bunch of data from them. Evolve had been in the crosshairs of the feds for problematic banking practices and all this did is make things very public.

Fintech Business Weekly is a respected industry newsletter and it has been reporting on this breach from the start. Now, it appears, that Evolve has sent the newsletter a cease & desist letter. They have been reporting about which customer companies have been caught up in this breach and that, apparently, offends Evolve.

It appears that the problem boils down to this. The newsletter has seen some of the actual data and wants to let Evolve’s customers, which are other fintech businesses, know so that they can start their own investigation.

On the other hand, Evolve knows that they are very likely going to get sued up oneside and down the other, so they want to control the information flow.

One of their clients is Affirm, a buy now pay later lender. It seems reasonable that victim companies like Affirm should get notified as quickly as possible. Evolve’s customers thought getting notified sooner was a great service.

But companies like Evolve have a different objective – and it is pretty typical. They want to completely control the information that gets out. Why? because they think it will reduce some of the lawsuits, maybe. And maybe reduce the damage to their reputation.

They want to be able to notify specific customers on their schedule, with their words, not have the customer find out that their customer’s data has been hacked from a post on Twitter. I think companies that get hacked are going to need to learn to move faster and that means better security information systems. And, lawyers are going to need to get creative too. They will not be able to force the information disclosure onto their chosen timeline.

What happened instead is that the newsletter made the whole thing public. Now, Evolve is either going to have to back down from the C&D or defend themselves in court – something that will give them a much bigger black eye.

After all, would you like to do business with a company that is trying to shut down the flow of information when your information got hacked? That would not be a vendor I would put high on my list.

This is certainly not a problem limited to Evolve. I complain a lot about the amount of time it takes for the lawyers representing hacked companies to come clean. Lawyers would like many months so that they can spin the story in the best possible light for a really bad situation. Maybe disclose bad news on a Friday afternoon of a holiday weekend. You can’t blame them – that is their job.

On the other hand, in an electronic age that is a losing battle – especially for high profile breaches. Witness this one. Did trying to control the information flow work for Evolve?

Lawyers are going to need to get better at getting faster. How much ink has been spilled today writing about Evolve’s heavy handed tactics? Not great PR for them. Credit: Tech Crunch

by