Imagine you’ve just been informed of a data breach. The details are scant. You don’t know the number of records breached and it’s unclear if this is a minor incident or an existential threat to your company (and your job security). Your team is scrambling to respond to the attack. If you know how it happened, you might be busy securing vulnerable infrastructure, but it’s just as likely that the cause of the breach isn’t known and your focus in the first hours and perhaps days is spent uncovering how it occurred.
As high-profile data breaches continue to increase in frequency and severity, cybersecurity and incident response has become a boardroom discussion. There is a new mentality being adopted by many large enterprises of “assume compromise” — recognizing that a breach may not be a matter of “if” but rather “when”. Given the chaos that follows a data breach, creating a plan after an incident is ill advised and prone to fail. Having learned from some of the abysmal incident responses of the past, many companies now have in place an incident response plan.
How not to respond
Before diving in to the ideal breach response, let’s first examine what happens when a botched response hurts customer confidence and impacts a company’s bottom line. Target has regrettably become a case study in how not to handle a data breach. The retailer experienced a massive breach of what eventually was revealed to be up to 40 million customer payment cards. The incident, which occurred at the peak of the 2013 holiday shopping season, could not have occurred at a worse time. What’s more, the company’s IT security team received an alert that pinpointed a probable intrusion in their network but failed to investigate.
Cyber attackers siphoned card data for over two weeks. Customers, and the world, learned about the breach from Brian Krebs who broke the news on his blog after discovering large numbers of stolen payment cards for sale on the Dark Web. In the days following the news, Target failed to communicate with banks about which payment cards were stolen. By then, scammers had already begun making fraudulent transactions with stolen card data. Some banks began buying stolen card numbers linked to the breach in order to determine which cards were compromised. Customers were unable to reach Target due to a jammed customer service line, and generally avoided shopping at the company’s stores.
In the end, Target’s quarterly profit during the critical holiday shopping season plummeted 46 percent. Facing intense criticism over their handling of the incident, the company’s CIO and CEO both resigned. Target has since faced several lawsuits over the incident and has reached a $10 million settlement with customers, a $67 million settlement with Visa, and a $39 million settlement with several U.S. banks to reimburse them for losses related to the breach.
The first 48 hours
The first hours after a data breach are critical to take control of the situation and prevent the type of crisis faced by Target. Companies should prepare a detailed incident response plan that includes roles and responsibilities, timelines, and requires actions. To fully prepare for an incident, all companies should thoroughly understand the different types of personal and regulated data the organization collects, including how this data is protected, transmitted and to whom, and who has access. This will help an organization craft unique incident response based on the type of data and existing security measures.
An effective incident response plan should also include cybersecurity insurance. The Target breach, for example, resulted in direct costs of $252 million, but the company’s insurance reimbursement brought that number down to $162 million. The legal department also plays a key role in shaping the response based on the requirements laid out by government regulations around data privacy and security. Knowing, for example, that even when health records are stolen, if those records remain encrypted, it can significantly lower the liability an organization faces since HIPAA does not require customer notifications in these cases.
The first hour
Once a breach is discovered, it should trigger an investigation by the forensics team. At this point, the crisis communication plan also kicks into action. The organization should immediately assemble the internal response team and notify the FBI or other law enforcement agencies. At this point, you also should contact a predetermined list of PR firms, law firms, and security vendors who specialize in breach response.
Hours 2 to 12
While the legal and PR teams formulate how to communicate the breach to customers, the news media, and law enforcement, the forensics team should be hard at work determining the scope of the breach and its root cause. Meanwhile the engineering team should focus on patching vulnerable systems that resulted in the breach as they become known.
Hours 12 – 48
In majority of the cases, the initial assessment of the scope of the breach underestimates the eventual reality. For this reason, assume the worst case scenario. Start reaching out to identity theft protection services, credit reporting vendors, and banks. At this stage, the legal and PR teams begin reaching out to the media, customers, and the government as well as any affected partners.
Adaptable letter and email templates created before the breach can enable you to promptly notify customers and the media. This not only limits further risk the customers may face, but it also allows the organization to have some control over the media narrative of the breach. The breach notification to the breach can be communicated through several channels, including:
- Social media
- Press release
- Corporate website and blog
- Custom website that provides the details of the breach
- Customer portals
Even if the scope of the breach isn’t determined quickly, the PR and legal departments should communicate whatever information is available to them.
If user credentials are at risk, the organization should implement an automatic customer-wide password reset while turning on some form of multi-factor authentication. If personally identifiable information (PII), or PCI-DSS regulated data was exposed, free credit monitoring should be offered to the customers. If protected health information (PHI) of over 500 individuals was breached, all affected parties, the government and the media should be notified immediately due to a HIPAA-HITECH mandate.
Beyond the first 48 hours
Though the first 48 hours are the most critical time in executing an incident response plan, it is just the beginning of a very long road. Organizations should expect a deluge of customer and media inquiries and must have a plan to handle a significantly higher volume and calls and emails than what’s typical. It will likely take weeks, if not months, for the forensics team to uncover the full scope of the breach. You should be prepared to rip apart elements of your infrastructure and rebuild them with best-in-class security features.