How not to handle a data breach
It was recently reported that an online ticket platform suffered a long, painful security breach. The company sells tickets to events (think festivals) and has been doing so for around 30 years, operating internationally. The breach involved the theft of full names, addresses and credit card numbers.
Participants from my recent newsletter survey wanted me to analyse breaches and write about funny but informative content. So that's exactly what I'm going to do here. That said, I'll also try my best not to include too much sarcasm as I don't want to "bash" the company. I also won’t be naming the company (referred herein as “the Ticket company”) or any individuals involved.
As I mentioned in the recent LastPass breach, security can be hard, especially for larger organisations. It’s easy for me to sit here and dissect a company’s response to a breach but the reality is, it isn’t straightforward and there is no perfect response. We should, however, use breaches as learning and development opportunities.
This breach gives us so much to talk about in terms of how to, and how not to manage a data breach. And if I'm being honest, what you’re about to read is how not to. We will however, take the positives away and see how the company could have done better at preventing, detecting and responding to the breach.
Initial detection - what happened
The initial detection of the security breach occurred in April 2021. Through a third party, the Ticket company was made aware of activity indicating potential unauthorised access to certain event checkout pages.?
This was done through a weakness that allowed for card stealing software to be placed within their ticket website. Meaning that, whenever a customer purchased a ticket, their name, address and full card details were sent to the attackers as well as the Ticket company.?
Reports suggest more than 90,000 customers were impacted in Texas alone, meaning the total could be in the hundreds of thousands in the US.
What should have happened
By the time the ticket company detected the incident in April 2021, a lot of damage had already been done. Of course, there should have been steps to decrease the likelihood of this attack happening in the first place.?
A weakness that allowed for malicious code should have been stamped out a long time before the platform was ever deployed. If a website allows sensitive data input, such as personal and financial information, one has to ensure that this cannot be read or stolen by unauthorised parties.?
A couple of healthy security practices would have helped here. The most important in my opinion is to run security checks (vulnerability scans and penetration tests) against websites which process sensitive information, especially in high volumes. The key is to run them before the site goes live, allowing time to remediate any security findings.?
Investigation - What happened
After being informed of the breach in April 2021, the ticket company launched an investigation with a forensics firm to shut down the unauthorised activity. This was concluded in January 2022 when the ticket company finally managed to eradicate the attackers. That’s 9 full months since they were initially informed.?
Further investigations occurred over the coming months, concluded in September 2022, which determined that the event may have resulted in unauthorised access of customer payment information. That’s a further 9 months from when they managed to eradicate the breach.??
The forensics team had determined that the breach had begun on June 25, 2019, and lasted until the isolation on January 8, 2022, roughly 2 and a half years.?
What should have happened
Many things can happen in 9 months. For one, a twinkle of sperm can grow into a mini-human ready to embrace the world.?
领英推荐
Again, this stuff is hard. But even so, Ticket company’s behaviour suggests they were much more interested in ensuring the pennies kept rolling in rather than preventing harm to their customers.?
In a perfect world, even after the ship has sailed, a response which prioritises the best interests of its customers would have seen the ticket company shutdown its website until it was safe to re-enable.?Yes, this would have cost money in the short term, but would have instilled confidence that the right thing was being done by it's customers.
In an imperfect world, where the customers best interests are considered alongside revenue, the breach should have been fully contained much, much faster.?
Response - What happened
There were a few interesting actions to note on the ticket company’s response to the breach. Once it had concluded its investigation and taken action (which only took 18 months), it decided to inform the impacted customers by writing to them personally.?That is absolutely the right thing to do. Just a touch on the late side.
They chose not to go public about the breach, however. You can't find a single mention of it on their website. Not only did the company refuse to go public about the breach, but they didn’t even have the decency to apologise for their mistake. Almost forgetting the fact their customers' information and credit card could have been used in fraudulent transactions for the previous 2.5 years.?
In their statement to those impacted, they still couldn’t say with any confidence exactly who’s or what data was impacted - itself an underwhelming conclusion of 18 months of investigation work. On the plus side, they did state they were informing customers by means of an “abundance of caution”. An 18 month-in-the-making abundance of caution.?
Not going public about the data breach was likely an effort to limit the reputation damage and protect shareholder interests. Naturally, word got out anyways and various papers and blogs covered the story in a rather negative manner, as most would expect.
What should have happened
They should have acted faster and been honest. Even when the finer details are unknown, advising customers at least allows them to keep an eye on their financial transactions to prevent identity and payment fraud in their names. Doing the right thing, even in such circumstances, can maintain customer trust.?
It’s also very common for companies to offer some form of credit monitoring or protection to customers who have had their data stolen. Despite the fact that full names, addresses and credit card numbers were disclosed, the ticket company didn’t offer its customers any such support. This level of data is enough for credit card fraud and even identify fraud to be committed. It would have shown a touch of decency if the company offered credit monitoring services.?
An apology is always nice, too.?
Competitor data breaches?
Another interesting angle here is the fact that a main rival of the Ticket company had already suffered a very similar data breach just a few years ago. 40,000 customer records were stolen in that breach and the UK regulator, the ICO, issued over £1m million in fines for “failing to keep its customers' personal data secure. The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.”
Usually when a competitor suffers such a public incident, other companies in that space take notice and check how susceptible they may be to suffering a similar incident. Clearly, the Ticket company didn’t do this at all, or very well.?
Key takeaways
Staff Threat Intel Analyst, Adversary Tactics
2 年You're right to say that security is hard; it's due to how we do it. We create something at minimal cost. What's the first thing to go when it comes to building something new? Security. By the time something is built out and functioning, no one really knows why it works, just that it does. Look at it this way...anything you've never done before is "hard". Snow boarding, juggling...you name it. If you haven't done it before, it's hard. A web app that doesn't validate input from the user? Really? That's nothing new at all.
Principal Consultant @BAE Digital Intelligence | Risk and InfoSec Expert | Compliance Specialist | Strategic Relationship Builder
2 年Great article Ashley I hope that you are well and having a great weekend?
Cyber Advisory Analyst @ S-RM
2 年From the customer's perspective, it teaches that what to be considered isn't that the company or cybersecurity provider never experienced any breaches, it's how efficient their incident response are and how effective their lesson learned / prevention methods after. The former encouraged many organisations to keep their attacks under wraps, fearing that having it on the news or public will lose them customers. Security teams are already working on tight budgets (seen as not productive or have no ROI when nothing happened,making it harder to propose a fair budget for it, yet seen as terrible when something did happen, in which ends with more losses that could have been used for prevention). It's time we praise good incident response actions and timely reporting, in comparison to provocative fearmongering and the silence to safe face. Thanks for sharing this Ashley, this is a good objective take on what can be done when breaches occur.
Driving your mission: Tailored Cybersecurity solutions for Purpose-Driven Organisations @ Practical Infosec
2 年So many lessons to learn from here! Let’s hope for a better reporting of breaches ????
Automate & Scale Your Business | Let Apps Talk to Each Other | Grow Without Hiring | Workflow Optimisation, AI-Powered Efficiency & Automation Expert | 15+ Years in Business Ops | Business Book Lover ?? & New Mum ??
2 年I just HAD to Google who 'the ticket company' were after reading the story. Great article with valuable lessons!