Suffering a data breach can be extremely harmful to your organization. But it’s how you react to it that can be fatal.
For the unprepared organization, many questions will be asked around the office. Who do we tell? When do we tell them? Are we sure it’s real? Can we get away with it?
I’ve not been in the situation of discovering a data breach myself, but I’ve spoken to a few that have. One person I spoke to whose employer suffered a major data breach a few years back said the offices were “absolute madness. This hadn’t happened before and nobody was quite sure what they should be doing.”
After hearing these words, I thought it would be good to take a look at organizations that clearly had no idea what they should be doing.
In January this year, hackers leaked phone numbers and login details for 4.6 million Snapchat users. Days before this breach, Gibson Security announced a Snapchat security vulnerability that they had warned Snapchat about four months before. Snapchat acknowledged the vulnerability and said it had been dealt with.
Snapchat users didn’t take their response well, saying things like “This is an apology? WTF” and “If your security depends on your API being private, you have no security.”
Everyone knows about the Target data breach, but does everyone know about how badly it was handled? 40 million debit/credit card details were stolen in the breach last year, and it wasn’t even discovered by Target. Network security firm Tripwire sent Target two alerts on November 30 and December 2 – both of which were ignored. It wasn’t until a week later that prominent security journalist Brian Krebs broke the story.
For the next couple of days, phone lines were jammed and Target failed to display a message on its website that was easily accessible.
Target’s delay in realizing the breach and their woeful efforts to let customers know what was happening has led to their breach being seen as one of the most poorly handled breaches of all time.
Did you read this blog post hoping to see a hilarious attempt at responding to a data breach? Good, because here’s a great one.
March 2014: 145 million eBay users become victims of a data breach that saw the theft of usernames, email addresses, physical addresses, phone numbers, and dates of birth.
eBay attempts to respond by quietly posting a note on its corporate website ebayinc.com. This note left out so many details that it was, in fact, totally useless.
Their next attempt to alert users of an eBay breach was posting an alert on paypal.com – leaving thousands confused about which credentials they needed to change. To make matters worse, the alert didn’t even have any details – it just said “place holder text”.
The hilarity didn’t stop there. eBay finally posted a note on the eBay site but failed to mention whether financial information had been leaked. The whole situation became pretty sad when eBay didn’t even force users to change their passwords, meaning you’d only know about the breach if you found their notification, which wasn’t prominently displayed.
What should organizations do?
If your organization suffers a breach, you need to ensure that you do the four most vital things.
- Patch the hole to stop this happening again.
- Alert all of those affected, and give them detailed information about what they need to do.
- Take responsibility for your error and be 100% transparent.
- Improve your security.
You can’t pick and choose between these four: you need to do all four.
Managing your information security effectively can be a troubling task, especially if you’re a large organization with several divisions. An increasingly popular option for organizations that want to improve their security is certification to ISO 27001.
ISO 27001 is the international information security management standard that sets out the requirements of an information security management system (ISMS). An ISO 27001-certified ISMS will help your organization manage and protect the information you have. Implementing the Standard will significantly reduce the chance of your organization ever having to respond to a data breach.