They keep taking value from data they promised to delete.
Data retained longer than stated retention period. The vendor's documented retention policy says 30 days, but identifiers, cookies, or data persist for months or years. The data they claimed to delete continues generating value.
How This Escalates BTI-C Findings
Escalates persistence findings (C13) and storage findings (C03). Data that should have been deleted still exists and is still being used.
Related Advisories
No published advisories reference this code yet.
Investigations are ongoing.
Blackout uses security frameworks to protect AGAINST vendors, not FOR them. We do not notify vendors. We do not provide remediation windows. If you're using a vendor flagged by this code, the advisory is your evidence.
Permanent URL: deployblackout.com/bti/codes/X03