Yes they should have announced it no matter what the logs said.
Depending on the logs is the worst idea ever in terms of breach determination. I don’t know how many times we’ve had 40 IoCs, but just because there isn’t a log file (often because no one splurged for the SIEM and the syslog collector broke beyond repair months ago) management acts like they’ve won the legal liability / cyber security lottery.
Obviously it’s not as black and white as that, but the burden of proof should be on the companies to show that no malicious use happened right after they go public with a breach.
Going public with this kind of information, even if nothing happened, could have driven much better behavior across the United States if not the world by setting the example. But Google chose the path of self-protection and short-term gain.
Wait, was this a vulnerability or a breach? Because if every vulnerability is now a breach, there are millions more than we know about.
Microsoft sends out monthly security patches. Each fix is in there is fixing a vulnerability. Every Windows server has multiple vulnerabilities fixed every month. Is every company that uses Windows now required to determine if any of those vulnerabilities were actually used? This seems like a bottomless hole.
Depending on the logs is the worst idea ever in terms of breach determination. I don’t know how many times we’ve had 40 IoCs, but just because there isn’t a log file (often because no one splurged for the SIEM and the syslog collector broke beyond repair months ago) management acts like they’ve won the legal liability / cyber security lottery.
Obviously it’s not as black and white as that, but the burden of proof should be on the companies to show that no malicious use happened right after they go public with a breach.
Going public with this kind of information, even if nothing happened, could have driven much better behavior across the United States if not the world by setting the example. But Google chose the path of self-protection and short-term gain.