It took them 67 days to disclose that their premier product, which is used heavily in the industry, had been compromised. Does anyone know why it seems like we're seeing disclosures like this take longer and longer to be disclosed? I would think the adage "Bad news travels fast" would apply more often in these cases, if only to limit the scope of the damage.
I can't help thinking that a part of it is that the supreme court has proactively & progressively been watering down the threat of class actions (in general, not specific to tech) since the early 2010s.
Sony & many others have proved pretty comprehensively that brand reputation isn't really impacted by breaches, even in high profile consumer facing businesses. That trickles down to B2B: if your clients don't care, why should you.
That leaves legal risk as the only other motivating factor. If that's been effectively neutered, it doesn't make economic sense for companies to do due diligence with breaches.
As far as I'm aware, Yahoo were the last company to suffer any significant impact from the US legal system due to a breach.
Their customer base are enterprise, so the issue can be addressed in private channels. There's little to be gained from making this particular breach public, from their point view. If anything, it's F5 customers who should advise their own customers downstream about the risks, when risks apply. Disclosure: I'm affected by this breach downstream at several sites and we have not been informed of risks by anyone but have been fighting fires where F5 was involved, but not necessarily blamed for anything.
But you are right, at F5's size and moneys, incentives for public disclosure are not aligned in the public's favor. Damage control, in all its meanings, has taken priority lately over transparency.
Just to be clear, the attackers had access to the systems well before this date.
Sometimes when a company engages law enforcement, law enforcement can request that they not divulge that the company knows about the problem so that forensics can begin tracking the problem.
I won't speak how often or how competent law enforcement are though, but it can happen.
My understading is that the hackers had a copy of the source code for their app so they had to patch all their outstanding CVE that they where sitting on so the DOJ let them hold back until that was ready. It's not ideal but I suppose there is at least something people can do right now. Feels like they could have been a bit quicker with some of the information though.
