New Delhi, June 29 -- a single point of failure that gave an attacker access to up to 14.22 million sets of email credentials in one intrusion.

Japan's second-largest mobile carrier disclosed the breach publicly on June 23, six days after detecting and blocking the intrusion. The company said it had modified the affected system and notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications from the day of discovery. What the disclosure did not include was the name of the third-party software that contained the vulnerability, the identity of the vendor who made it, or how long that flaw had been present in KDDI's email platform before anyone found it.

Those omissions matter because...