A Cyberattack Victim Notification Framework

Interesting analysis:

When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry.

When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification. Victims often do not trust these notifications, as cyber criminals often use the pretext of an account compromise as a phishing lure.

[…]

This report explores the challenges associated with developing the native-notification concept and lays out a roadmap for overcoming them. It also examines other opportunities for more narrow changes that could both increase the likelihood that victims will both receive and trust notifications and be able to access support resources.

The report concludes with three main recommendations for cloud service providers (CSPs) and other stakeholders:

  1. Improve existing notification processes and develop best practices for industry.
  2. Support the development of “middleware” necessary to share notifications with victims privately, securely, and across multiple platforms including through native notifications.
  3. Improve support for victims following notification.

While further work remains to be done to develop and evaluate the CSRB’s proposed native notification capability, much progress can be made by implementing better notification and support practices by cloud service providers and other stakeholders in the near term.

Tags: ,

Posted on September 12, 2025 at 5:04 PM9 Comments

Comments

KC September 13, 2025 7:56 AM

A few unpacked observations from the report:

part 1:

When thinking about notifying individuals about cyber incidents, it’s a helpful parallel to think about the Dept of Defense. The DOD alerts on incidents in a band a level up, e.g., Unclassified to Secret, Secret to Top Secret.

For individuals, first and third party notifiers can help fill this role.

KC September 13, 2025 7:59 AM

part 2:

Consider Apple as a mature first party notifier. When Apple detects zero-click spyware, it sends notifications to individuals through various channels like the customer portal, email, and Apple Messages. The notice directs individuals to seek assistance from a non-profit organization like Access Now via their Digital Security Helpline. Access Now received over 4,337 requests for assistance in 2024.

Additionally, proxies or third party notifiers can own this responsibility. The UK’s NCSC has developed a registry for UK companies to register for “Early Warning” alerts. The same responsibility could be given to banks, ISPs, counsel, etc.

KC September 13, 2025 8:01 AM

part 3:

Of course, any conglomerate system would need to operate via a Data Clean Room where victim info could be submitted as hashed values and matched to the hashed values of account provider data.

Standards bodies, NIST for example, could update Special Publication 800-61 to include recommendations on victim notification. Cloud service providers and other stakeholders could convene a consortium to further develop this infrastructure.

I’m honestly sad to learn the Cyber Safety Review Board has been disbanded after three years. This excellent IST report evolved from Recommendations 18, 19, and 20 from the last CSRB report. Seeing as members of the CSRB were paid $0 I hope work like this continues to be organized under various stakeholders.

Clive Robinson September 13, 2025 10:30 AM

@ Bruce, ALL,

With regards the article intro above,

“When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm.

In theory it’s easy, the “industry entities” just need a “trusted path” to the user and be “honest”…

In practice however,

“No industry entities can or should be trusted…”

One reason, is they sell the user out to completely untrustworthy people. [This includes but is not limited to the Governments and agencies of not just the user’s nation, but any nation such as North Korea, Iran, China, Russia and much worse such as the Dutch, Israeli and especially the US, UK. All of who then use it in ways that are often at best “unlawful”.]

Another is such entities lie about what has happened when security incidents occur. Thus any notification is basically pointless and worthless, except for causing mental distress in users…

Another is that any remediation such entities offer, are either completely pointless or the user finds they have to hand over all their “personal details” to yet another untrustworthy “industry entity”, to be sold off immediately or in the near future.

And I could go on and on with a near never ending list…

Take for instance the latest like “Brave” and their supposedly “better browser”… They have just forced in “client side scanning” by what they imply incorrectly is “helpful AI” but make it impossible for even experienced users to remove.

So dumping Brave pronto like any other AI “client side scanning” forcing “Industry Entity” would be a very good idea… Along with anything based on Google or Microsoft, Mozilla and similar browsers…

But who do you replace them with? Because they are all at it…

So next to nobody with any sense trusts any “industry entity”…

Which is just one of many many reasons we have the problem the article notes of,

“However, providing notifications has proven a challenge across industry.”

Because mostly the industry is completely untrustworthy, and those that were trustworthy get turned to the dark side…

So there is not going to be a solution to this issue, untill there are very easily legally enforceable ways to protect users privacy in ways that will make the industry more trustworthy…

Just a reminder that long before the UK or Britain existed, there was a Royal issued punishment for breaching a Kings privacy.

It was called “Gelding and Gouging” and it was not designed to be a death sentence but a “justice is seen to be done style punishment”.

Put simply it was someone’s job to, by hand, “rip out the offenders eyes”, then “rip off their testicles”…

And yes people did survive this punishment… The Chinese had similar punishments and Muslim nations used similar as a “tax” on non Muslims, where the families eldest male child was castrated and used as a slave and all that implied…

Maybe bring it back for,

“The politicians, lobbyists, share holders, C-Suite and senior management, and others in that order”

Who are those who actually by policy regulation and inaction etc abuse peoples private and personal information. It might just change things a little and “trust” might get built up again over time.

But with no trust I can not seeing users doing anything that would increase their vulnerability in any way.

ResearcherZero September 15, 2025 4:15 AM

WhatsApp recently announced it fixed a zero day that was targeting Apple users. It did not say if the related issues affect other applications, and neither did any other developer.

The bug known as CVE-2025-55177 allows unauthorized device linking by a malicious URL which can be chained with a zero click that exploits an out-of-bounds write in JPEG Lossless Decompression (CVE-2025-43300). Samsung also patched a similar issue (CVE-2025-21043).

‘https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/

Former security chief claims around 1,500 Meta and WhatsApp engineers had unaudited access to user data, including pictures, messages, location and other personal information.
https://www.cnbc.com/2025/09/08/ex-meta-employee-whistleblower-suit-alleged-security-flaws-whatsapp-.html

The lawsuit claims in 2022 around 100,000 users a day had their accounts hacked, and that the number of users suffering account takeover had then increased to 400,000 by 2024.
https://arstechnica.com/security/2025/09/former-whatsapp-security-boss-sues-meta-for-systemic-cybersecurity-failures/

ResearcherZero September 15, 2025 5:11 AM

@Clive Robinson, KC

Considering more than 700 companies were affected by Salesforce breaches, plus all the other numerous incidents of teenagers breaking into major tech companies, it is pretty obvious that security and segmentation of user data is terrible across the board. Today many business continue to provide employees with passwords which are a combination of the company name (perhaps abbreviated), followed by a number and a symbol. The user name for the employee account is usually an email address (often the employee’s personal email).

The same weak password is often used by multiple employees and network access within the business these days can often include WIFI with similarly weak and widely shared credentials. Many local government organizations share WIFI access between departments.

The amount of detailed personal data accessible via these accounts is staggering, with a wide range of very personal detail including health information and other details. In the case of people who require care or support this includes details of their home life, ac Case notes are often included in such circumstances. None of this information is segmented or encrypted and the access to the data is not audited as security awareness is very low.

John Freeze September 15, 2025 6:52 AM

So, in a nutshell, somebody dreams of a platform through which you will get a message like this one:

“Dear Bob,
your account at Alice’s Burgers has been hacked.
Please klick on this link to fix the issue: https://evilhaxx.ru/bob
You can totally trust it, as it comes from your super trustworthy cyberattack victim notification platform.
Cheers,
Alice”

Somebody should definitely vibe code such a platform 😉

Clive Robinson September 15, 2025 6:35 PM

@ John Freeze, ALL,

With regards,

“So, in a nutshell, somebody dreams of a platform through which you will get a message…”

And they will make millions in revenue…

What’s wrong with this idea, it is after all the basic idea of data and the American Dream that is now the fantasy of the Web 3 / 3.0 bros.

You can see some of them at work over at Molly’s,

https://www.web3isgoinggreat.com/

lorkrem September 19, 2025 8:41 AM

This analysis highlights the paradox at the heart of victim notifications: urgency versus trust. Speed is essential to reduce harm, yet poorly designed notifications risk being mistaken for phishing and ignored. The roadmap makes sense—standardized best practices, middleware for secure delivery, and post-notification support are not just technical fixes but trust-building measures. Unless victims believe the source, even the most advanced frameworks will fail to achieve their purpose.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.