How Not To Handle a Data Breach
I can just hear Austin Powers say ... "This data breach was a bit of a ...", "... car crash".
Introduction
When you see tweets such as this, you just know that there is a problem in the way that a company is handling their data breach:
We all know that companies who respond badly to an incident can damage their brand, and the classic case is with Dido on the Talk Talk incident, and who gave out incorrect information which generally confused more than it informed:
The most recent incident relates to the AA and in the leakage of 13GB of data. This data has been viewable on-line, and includes email addresses, names and parts of payment card numbers.
Edmund King, who leads the AA, said that they discovered the leak of data on 22 April 2017 and which related to data within the AA's online shop. They said it was fixed on 25 April 2017, and that it had related to a misconfiguration that gave access to two on-line backups.
The AA, at the time, said there were no sensitive details disclosed, but some security researchers, including Troy Hunt and Scott Helme, have been demonstrating that the backups do, in fact, contain sensitive material. With this they have found over 117,000 unique email addresses, as well as names, network addresses and credit card types, expiry dates, and the final four digits of the card. They also think that the AA has not contacted those involved to report the data breach.
In a separate event, the AA recently also sent out an erroneous email that told users to change their passwords, and where their Web site struggled to cope with the numbers of users changing their passwords. Overall the password reset email was a mistake from AA's side.
Conclusions
There are several lessons here.
One is that companies need to respond better to data breaches, especially at executive level. It is important to report precisely and honestly. If there is a debate, it's important to engage with those involved, rather than to threaten legal action.
The other is that companies need to understand where their data is, as systems such as Shodan will find data wherever it is. With GDPR just around the corner, things are going to become a lot more serious, with 4% of global turnover waiting in fines for those who have been negligent.
Cybersecurity & Risk Leader | Business Growth Specialist | Founder
7 年A good post but please be aware of the naivety in it. They are handling this as is 'best practice' for shady PR breach management companies. Their goal is to start a criminal investigation so they can't comment on the matter.
Level 2 Risk Officer @ Derivco, Information / Cyber Security & Risk evangelist and DJ
7 年hear hear