What was the actual information taken? How was the breach perpetrated? Two pretty big pieces of information we are missing. There may also be daily breaches that aren't significant enough to impact earnings that we never hear about.
No, we do not have any kind of transparency.
The second issue (where do I go?) can't be worked out at all until we have some idea of "where do I really not want to be?"
First you said you wanted a report of all breaches, now you're asking for the investigation to be run in public - rather a massive move of the goalposts. Without expressing any sympathy for the banks, I'm having trouble thinking of any business that would be willing or even able to do business under such conditions.
No, what I'm saying is that we don't have transparency in the reports. All we get is "something happened", with very few details of what "something" is. My goalposts never moved; only your interpretation of them.
Would you not agree that a data breach brought on by a disgruntled employee selling records is materially different than the same data breach caused by failure to patch systems? I don't care about the investigation (where did you get any implication I think investigations should be public); I care about the results.
>>Would you not agree that a data breach brought on by a disgruntled employee selling records is materially different than the same data breach caused by failure to patch systems?
Directly contradicts this one:
>>I don't care about the investigation (where did you get any implication I think investigations should be public); I care about the results.
The result is that people's credit card information got stolen. The investigation and the details -- i.e. whether it was an internal or external breach -- are not relevant to me as the customer.
Perhaps you have a different definition of investigation than I do. I see the investigation as the active bit where you are talking to people, looking through logs, trying to figure out what happened. At the end of that, you would have a report that said "this is what happened: this is the data that was lost and this is how it was done". That doesn't imply that every interview and every log file gets published.
Of course there is going to be some level of sanitization, but today we get no information beyond "we lost a bunch of data" (oh, look, they told us names, address, email, "and other information used to categorize customers", whatever that means).
If you decide it's not relevant to you, brilliant. Don't pay attention to it. It is relevant to me, because I don't have any other way to decide who I should trust with my information security. A company losing hundreds of credit cards a day to hundreds of different hacks is much less secure in my mind than a company that loses 70M names and addresses (as far as I know, the Chase hack did not expose credit cards; mine was not replaced). The former goes unreported; the latter gets splashed all over the news.
No, we do not have any kind of transparency.
The second issue (where do I go?) can't be worked out at all until we have some idea of "where do I really not want to be?"