An Honest Approach to the Post-Breach Letter

EDITOR’S NOTE: This blog is a work of fiction/humor and is not a factual statement on behalf of Blackberry Cylance or BlackBerry Ltd.

To Our Compromised Customers:

Our team at <insert company> tried to secure its computer systems behind an old-fashioned perimeter, and the result is that hackers penetrated and persisted in our network for <insert months> and stole the <insert things stolen> you trusted us to protect.

We are just letting you know now, because it took our lawyers <insert weeks> to come up with a believable story that would mostly blame <insert hackers, nation-states, or third-parties>.

The good news is that our incident is of no consequence to you, because your <insert things stolen> have already been compromised dozens of times by others including <insert names of prior companies and agencies previously hacked>. This point will be made by our massive team of lawyers during any future class action suit to prove that no real harm has been done. So don't waste your time.

Additional good news for our investors is that we bought <insert amount> worth of cyber insurance, and we have done a stellar job successfully completing the pages and pages of paperwork for our <insert list of compliances>. We will just keep our heads down until this little incident blows over, which it will. Our stock price will be back to normal in <insert weeks>.

I should tell you that I fired our CISO, who I met for the first time during this incident. I am told that this is the <insert second, third, or fourth> executive to hold this position in the past <insert one, two, or three> years. My board is pleased that I took this bold firing action, and they should know, because they received a brief talk on cyber hygiene at our last retreat. So, they are experts.

You should visit our flashy response website that we set up with enough added security to make it nearly impossible to get to the mostly useless information we included. You might also consider accepting our offer of <insert one, two, or three> years of identity protection, because it will limit our liability for future class action suits. It’s all explained in the fine print, which we know you will not read.

My advice is that you should just forget about this little incident. I know I will. I mean, there are so many more serious issues in our world that deserve your complete and undivided attention such as <insert North Korea, global warming, or high tuition costs>. The last thing you should be worried about is another compromise of <insert things stolen> that have already been ripped off before by others.

We are certain that our team will cause another incident in the future, so please just use this same letter in advance of that inevitable <insert type of breach>. Until then, let’s just forget about this little misunderstanding so that you can get back to your normal life. Deal?

Regards,

<Insert Name of Honest CEO>

About the Author:

Dr. Ed Amoroso is the Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor.

He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

Ed holds a BS degree in Physics from Dickinson College, MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB). Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.