Due Date: June 16th, 2024 at 11:59 PM
For this assignment, you will assume the role of a cybersecurity professional in an organization. Your organization has recently suffered a data breach and some personally-identifiable information (PII) has been exfiltrated from your organization.
Your task is to write a public disclosure notice that will be sent to all parties whose data may have been compromised.
You can make up the name of the company, the specific pieces of data that were breached, and the mitigation you are both employing internally as well as offering victims of the breach. However, these characteristics should be sensible within the context of your scenario - for example, offering service discounts to victims of loss of medical data at a clinic would not be very helpful to most people. You must also imagine that a significant amount of PII was breached - "your first name alone" is insufficient as it is not unique enough to identify a specific individual.
See the Content section for more guidance on what is expected in terms of data breached and mitigations.
Your disclosure should be in written form, as would be suitable for delivery via E-mail. There is no specific length requirement, but you must include all of the required content items. A length of one page would probably be considered average - you want to be concise while still including all relevant information.
You can use your imagination regarding the specific details of the hypothetical attack that occurred in your organization. However, a few items must be included:
-
What data was breached (for example, payment information, hashed passwords...)
The data that was breached should include, at a bare minimum, some piece of data that would be considered sensitive, such as password, credit card number, Social Security number, etc. Multiple pieces of data are likely to be breached, so including more data breached is a safe choice, as long as you account for it in your mitigation.
-
The potential impact the data breached may have on those who had their data exfiltrated
Assume that your audience may not be strongly familiar with cybersecurity and the risks that may occur due to a data breach. Provide a very brief explanation of attacks such as identity theft or password reuse attacks (depending on what PII you decide was breached in your scenario).
-
A non-technical but feasible description of how the attack occurred. (For example, don't write about brute-force attacks on password hashes or port scans. Do write a simple explanation that would be understandable to non-technical readers.)
-
Guidance for users as to what they can do to protect themselves.
This is dependent upon the PII that was breached, but might include items such as changing passwords on other sites, alerting banks to possible fraud, etc.
-
What steps will be taken to mitigate damage, both to the organization and to those individuals affected.
You may create a theoretical, but reasonable, offer to users, such as discounted or free credit monitoring or assistance with addressing damage caused by the breach. You should also offer obvious free solutions, such as proactively locking accounts with breached passwords and requiring password changes.
You can search the Internet for inspiration or ideas, or you can draw on actual breach notifications you may have received. However, do not copy/paste an existing breach notification - the goal is to write your own from scratch using a theoretical scenario.
DO NOT use a real breach for your scenario - come up with your own scenario!
Prepare your submission in either a Word or a PDF document and submit to the D2L Dropbox.
This is an individual assignment. All class members must submit an original, independently created submission.
This assignment is worth 100 points. Points are assigned as follows:
| Item | Points | Penalties |
|---|---|---|
| Provided information on the specifics of the breach scenario - what data was stolen and how it might impact the victims | 30 | Variable point loss if significant or important details are missing. |
| Provided practical guidance for users who are victims of the breach scenario | 30 | Variable point loss if significant or important details are missing. |
| Provided information on mitigation of negative effects from the attack for both the user (e.g. offers of discounted monitoring) and the organization (e.g. resetting accounts with stolen passwords) | 30 | Variable point loss if poor/incorrect advice given or advice is missing. |
| Document uploaded in correct format (Word or PDF) | 10 | Loss of points if document is not in PDF or Word format. More or all points may be lost if I can't convert your submission into a readable format! |
Late submissions will receive a total loss of percentage of earned points based on the syllabus's Late Work policy. Submissions 3 days late or later will receive 0 points.