Hacker News new | past | comments | ask | show | jobs | submit login

Oh man this is an interesting grey area. If the data was “encrypted” then they aren’t required to notify unless the encryption key is reasonably believed to have been acquired by the hacker.

I don’t know anything about MD5 or what makes it vulnerable but if StockX has no reason to believe the hacker acquired the key they could certainly make the argument they had no notice obligation.

Reading the statute (and assuming MD5 is as weak as everyone here says) I would say it falls outside the definition of “encrypted” but it really kind of depends on how honest the security engineers were with the lawyers.

I’ve never thought to ask “how encrypted?” when dealing with a breach but I definitely will now.




The non-password data was not encrypted, so is definitely a breach of California law.


Ahh well then it’s definitely not grey. And serves me right for scanning the comments here and not actually reading the article.


MD5 is not an encryption algorithm. There is no key!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: