Skip to main content
Technology | Academics | Policy - Home
  • Topics
    • Topics

    • Topics OverviewOverview
    • Artificial Intelligence and Machine Learning
      • Artificial Intelligence and Machine Learning

      • Artificial Intelligence and Machine Learning OverviewOverview
      • Artificial Intelligence Policy
      • Ethics of Artificial Intelligence
      • Generative AI
    • Cybersecurity
      • Cybersecurity

      • Cybersecurity OverviewOverview
      • Cyber Peace / Cyber Warfare
      • Election Security
    • Impact of Tech on Society
      • Impact of Tech on Society

      • Impact of Tech on Society OverviewOverview
      • Future of Work
      • Tech’s Impact on Economic Equity
      • Tech’s Impact on Racial and Gender Equity
    • Innovation and Economic Impact
    • Intellectual Property and Open Source
      • Intellectual Property and Open Source

      • Intellectual Property and Open Source OverviewOverview
      • Copyright and Trademarks
      • Open Source
      • Patents
    • Networks and Infrastructure
      • Networks and Infrastructure

      • Networks and Infrastructure OverviewOverview
      • Broadband and Wireless Technologies
      • Cloud Computing
      • Internet
      • Net Neutrality
    • Platforms and Platform Regulation
      • Platforms and Platform Regulation

      • Platforms and Platform Regulation OverviewOverview
      • Antitrust / Competition
      • Content Moderation/Section 230
      • Disinformation / Misinformation
      • Freedom of Speech
      • Media and Content
    • Privacy
      • Privacy

      • Privacy OverviewOverview
      • Cross-Border Data Transfers
  • Scholars
  • Events
  • For the Media
    • For the Media

    • Media OverviewMedia Overview
    • Fact Sheets
    • Press Releases
  • About TAP
  • Subscribe to our Newsletter

Breadcrumbs

Go up a level to Home is the parent page of

  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Facebook
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Twitter
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Email
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via LinkedIn
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Pinterest
BLOG POST

Enhancing the Security of Data Breach Notifications and Settlement Notices

Publication Date: December 19, 2019 2 minute read
Written By

Edward Felten

Edward FeltenTAP Scholar

 Arvind Narayanan

Arvind Narayanan
RA
Ryan Amos
MK
Mihir Kshirsagar
  • Privacy
  • Networks and Infrastructure
  • Internet

[This post was jointly written by Ryan Amos, Mihir Kshirsagar, Ed Felten, and Arvind Narayanan.]

We couldn’t help noticing that the recent Yahoo and Equifax data breach settlement notifications look a lot like phishing emails. The notifications make it hard for users to distinguish real settlement notifications from scams. For example, they direct users to URLs on unfamiliardomains that are not clearly owned by the company that was breached nor any other trusted entity. Practices like this lower the bar for scammers to create fake phishing emails, potentially victimizing users twice. To illustrate the severity of this problem, Equifax mixed up domain names and posted a link to a phishing website to their Twitter account. Our discussion paper presents two recommendations to stakeholders to address this issue.

First, we recommend creating a centralized database of settlements and breaches, with an authoritative URL for each one, so that users have a way to verify the notices distributed. Such a database has precedent in the Consumer Product Safety Commission (CPSC) consumer recall list. When users receive notice of a data breach, this database would serve as a reliable authority to verify the information included in the notice. A centralized database has additional value outside the data breach context as courts and government agencies increasingly turn to electronic notices to inform the public, and scammers (predictably) respond by creating false notices.

Second, we recommend that no settlement or breach notice include a URL to a new domain. Instead, such notices should include a URL to a page on a trusted, recognizable domain, such as a government-run domain or the breached party’s domain. That page, in turn, can redirect users to a dedicated domain for breach information, if desired. This helps users avoid phishing by allowing them to safely ignore links to unrecognized domains. After the settlement period is over, any redirections should be automatically removed to avoid abandoned domains from being reused by scammers.


The preceding is republished on TAP with permission by its author, Professor Ed Felten, Director of the Center for Information Technology Policy at Princeton University. “Enhancing the Security of Data Breach Notifications and Settlement Notices” was originally published November 8, 2019 on Freedom to Tinker.

  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Facebook
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Twitter
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via Email
  • Share Enhancing the Security of Data Breach Notifications and Settlement Notices via LinkedIn
Tags
  • Data Breach

Related Blog Posts

BLOG POST

The Quantified Worker: Professor Ifeoma Ajunwa’s Research on Workplace Surveillance and Automated Hiring Systems

Publication Date: June 29, 2023
Emory Law Professor Ifeoma Ajunwa discusses her new book, The Quantified Worker, Law and Technology in the Modern Workplace. She explains how the workforce science of today goes far beyond increasing efficiency and threatens to erase individual personhood.
Written By
TAP Staff Blogger
Featuring

 Ifeoma  Ajunwa

Ifeoma AjunwaTAP Scholar
  • Artificial Intelligence and Machine Learning
  • Ethics of Artificial Intelligence
  • Impact of Tech on Society
  • Future of Work
  • Tech’s Impact on Economic Equity
  • Tech’s Impact on Racial and Gender Equity
  • Artificial Intelligence Policy
BLOG POST

Recent Papers from TAP Scholars

Publication Date: January 15, 2021
A selection of articles recently written by TAP scholars explore AI and the impact on privacy, how to safeguard privacy and security in an interconnected world, digital platforms and antitrust, and patent reform to support innovation.
Written By
TAP Staff Blogger
  • Privacy
  • Networks and Infrastructure
  • Internet
  • Artificial Intelligence and Machine Learning
  • Antitrust / Competition
  • Patents
  • Intellectual Property and Open Source
BLOG POST

The Most Read TAP Blogs from 2019

Publication Date: December 31, 2019
Take a look at the top viewed blog posts from this past year that have been written by TAP scholars.
Written By
TAP Staff Blogger
  • Internet
  • Privacy
  • Cloud Computing
  • Media and Content
  • Broadband and Wireless Technologies
  • Artificial Intelligence and Machine Learning
  • Networks and Infrastructure
See All Blog Posts
Technology | Academics | Policy - Home
Follow us on TwitterLink us on LinkedinLike us on FacebookWatch us on youtube
  • Blog Posts
  • Academic Article Summaries
  • Fact Sheets
  • Hot Topic

Subscribe to our Newsletter

Name
  • Privacy & Cookies
  • Terms of Use
  • Feedback
© Copyright 2023