Entrust Corporation Suffers Data Security Incident Potentially Exposing Sensitive Consumer Data | Console and Associates, PC


On July 6, 2022, Entrust Corporation sent letters to certain individuals confirming that an unauthorized party was able to access the company’s computer system and delete certain files. However, to date, Entrust has yet to file a formal notice of breach and has yet to disclose whether any consumer data was compromised as a result of the recent data security incident. Based on statements made in the consumer letter, it appears that the company’s investigation into the data security incident is ongoing.

If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself against fraud or identity theft and what legal options are available to you following the Entrust data breach, please see our recent article on the subject. . here.

More information about the Entrust breach

According to a letter dated July 6, 2022, which was sent to an unknown number of people, Entrust CEO Todd Wilkinson explained that on June 18, 2022, the company discovered that an unauthorized party had had access to the Entrust network. In response, Entrust contacted law enforcement, secured its systems, and sought the assistance of a third-party cybersecurity firm to investigate the incident. The company’s investigation is still ongoing; however, Mr. Wilkinson noted that the unauthorized party was able to access and delete some files from the company’s network.

On July 6, 2022, Entrust sent data breach letters to everyone whose information was compromised as a result of the recent data security incident. This notice was not made public, however, and the violation only came to light when someone found and posted a copy of the letter on Twitter.

Founded in 1969, Entrust Corporation is a software company based in Minneapolis, Minnesota. Specifically, Entrust develops and sells security software to some of the world’s largest companies, including Microsoft, Visa, Mastercard, Square, VMWare, Polycom, and ServiceNow. According to the company’s website, Entrust encrypts more than 24 million messages every day. Entrust employs more than 2,500 people and generates approximately $668 million in annual revenue.

Why do companies take their time reporting a data breach?

The Entrust data breach was first discovered in June 2022; however, as we approach the end of July, the company has yet to file an official notice of infringement. Although Entrust sent letters to some consumers informing them that the company had suffered a data security incident, these letters did not mention the type of data that may have been compromised as a result of the system breach. Does Entrust know if consumer data has been leaked? If so, isn’t the company increasing the risk of identity theft and other fraud by waiting to provide notice of the incident?

Of course, the answer to this question is “yes”. Hackers and other cybercriminals often attempt to use the information they steal as soon as possible, long before consumers can cancel their credit cards and alert potential lenders. Thus, while waiting to give notice, a company gives hackers enough time to use the data for criminal purposes. However, there are good reasons why companies don’t immediately announce a data breach. There are also less good reasons.

As a preliminary, Entrust notes that the June 2022 data security incident is still under investigation. So, it’s entirely possible (and even likely) that the company simply doesn’t know what types of data, if any, were compromised as a result of the attack. However, outside of this scenario, there are other reasons why companies may delay notifying individuals or state governments of a breach.

One possible explanation for a delayed breach report is that the company doesn’t realize it was hacked until weeks or months after the incident. In these cases, there is little a company can do if it is unaware of a breach. Of course, organizations with strong data security systems should be able to identify and contain a breach relatively quickly. So while companies can’t report a violation they don’t know about, that’s not exactly a good excuse.

Another reason a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some situations, law enforcement asks victimized businesses not to report a breach so as not to alert hackers that the breach has been detected and is being investigated. By not reporting the breach, it gives law enforcement time to investigate and possibly catch the criminals who orchestrated the attack.

Finally, another reason a company may not immediately report a breach is that they are in the process of reviewing leaked data to see what types of data were exposed and who was affected. Once a company becomes aware of a data breach, it must review the compromised files, which can take time. However, nothing prevents a company from issuing prior notice to all customers whose information may have been affected. Although there is no indication to whom Entrust sent the aforementioned letters, it appears that Entrust provided preliminary notice of the violation to at least some consumers.

Ultimately, just because a company waits to file a formal data breach notice doesn’t mean it’s overlooking the risks the breach poses to consumers. However, this is a separate possibility.


Comments are closed.