"Best Practices" for Data Breaches

LifeLabs, a Canadian company, suffered a significant data breach. According to this statement, the damage was “customer information that could include name, address, email, login, passwords, date of birth, health card number and lab test results” in the magnitude of “approximately 15 million customers on the computer systems that were potentially accessed in this breach”.

It is an unfortunate event for the company, but eventually, the ones hurt the most are the customers who entrusted them with their private information. It is also clear that the resources that were allocated by this company to defend the private information were not enough. I don’t know the intimate details of that event. Still, from my experience, usually, the cyber defense situation in these companies is on the verge of negligence and most commonly underfunded severely. We, as consumers, got used to stories like that every other week, numbing us into accepting whatever the industry dictates as the best practices for such an event.

The playbook of best practices can be captured quite accurately from the letter to customers:

"We have taken several measures to protect our customer information including:

• Immediately engaging with world-class cyber security experts to isolate and secure the affected systems and determine the scope of the breach;
• Further strengthening our systems to deter future incidents;
• Retrieving the data by making a payment. We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals;
• Engaging with law enforcement, who are currently investigating the matter; and
• Offering cyber security protection services to our customers, such as identity theft and fraud protection insurance."

My interpretation of those practices:

• First, deal with the breach internally with very high urgency even though many times, the attackers were inside your network for months. The awareness of the mere existence of the breach puts everyone in a critical mode. Implying most commonly disconnecting and shutting down everything and calling law enforcement.
• Get your data back so the business can continue running – you can’t imagine how many companies don’t have a fresh copy of their data, so they have to pay the extortionists the ransom to get their data back.
• And here comes the “strengthening the security to deter such attacks” – I don’t know what it means in practice as from my experience, it takes a long time to turn a company from a probable breach case into something that can deter future attacks. I guess it is a one time expense in the form of buying some fancy security products, which will take months and maybe years to roll out.
• Now that the company is back in business and customers still don’t know that their data is potentially out there, bringing joy and prosperity to the attackers, the last and main challenge emerges: how to prevent a potential PR nightmare. And the acceptable answer is: let’s set up some website to show we care and let’s give the customers insurance on fraud and alerting service to know when their information gets abused. Practically saying to the customer that now that your data is out there, you are on your own, and it is advisable to stay tuned to alerts telling you when your data reaches terrible places. Good luck with that…

A new theatre play called “Best Practices” emerged mostly to mitigate all kinds of business risks while posing as “taking care of” customers.

Original Post