Data breaches cost time, money and reputation. Two recent cases in point are the Epsilon data breach and the revelation that personal information belonging to 3.5 million Texans was inadvertently exposed on the Web.
In both cases, the data breaches shine a light on the importance of protecting data, but what about how organizations should act in the aftermath of a breach? For compromised companies, the question is an important one -- and one that presents an opportunity for security VARs and vendors.
Research from the Ponemon Institute has shown in the past that companies that move too quickly after a breach can often end up costing themselves more money. In its analysis of data breaches in 2010, the institute found that while 43 percent of the companies notified victims within one month of discovering the data breach, these “quick responders” paid an average of nearly $100 more per record ($268 compared to $174) than those who took longer.
“Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases,” according to the Ponemon report.
Once a breach has happened, there are four tasks for companies to prioritize, Will Irace, director of threat research for Fidelis Security Systems, told CRN. One, identify the attacker; two, uncover the technical details of the breach; three, assess and improve cyber defenses and strategies; and four, communicate responsibly with the victims.
“Each of these discrete tasks represents an opportunity for vendors,” he said. “No specific technology, including encryption, can be regarded as a solution except as part of a coherent broad strategy for handling data breaches.”
In the case of Epsilon, the company was quick to notify customers, but left details of the actual attack under wraps. The company, which is owned by Alliance Data and offers marketing services for more than 2,500 clients, announced April 1 that an attack on its e-mail system had been detected March 30. The attack exposed e-mail addresses and or customer names for roughly 2 percent of the firm’s clients, including Marriott International, Walgreens and others.
Shortly after being notified by Epsilon, several companies issued alerts of their own. Marriott for example told customers April 4 that an “unauthorized third party gained access to a number of Epsilon’s accounts, including Marriott’s email list.”
Victims of the Epsilon breach faced potential fallout in the form of spear phishing, a threat that prompted warnings from security vendors and the Better Business Bureau.
“It seems to me that customers, the public and the security community are helped by maximal disclosure, so that customers can take appropriate steps to protect themselves, the public can increase its awareness of data breach risks in general, and the security community can improve its practices when it comes to preventing and responding to breaches,” Irace said. “Companies may be understandably reluctant to share the preferred level of detail, in order to protect their reputation or other information deemed secret.”
Next: The Role Of Law Enforcement AuthoritiesIn addition to its customers, Epsilon also contacted law enforcement, and is working with federal authorities to investigate the breach. In terms of information disclosure, companies should follow the lead that is imposed by law enforcement, said Josh Shaul, CTO of Application Security. In addition, companies should contact an attorney familiar with breach notification laws and follow their advice as well.
“The attorney will help your organization determine what to disclose, while law enforcement will determine when this disclosure is allowed,” he said. “There is a balance between informing and protecting your customers and the viability of your business.”
Senator Richard Blumenthal (D-CT) called on Epsilon Monday to provide more details of the attack, and has said he plans to announce legislation in the coming weeks to protect consumers from phishers.
“Epsilon owes it to these consumers to provide them with tools to ensure the safety of identification and financial information, and also to take serious steps towards preventing these types of breaches in the future,” he said in a statement.
According to Alliance Data Systems, Epsilon’s parent company, the security protocols within Epsilon controlling access to the system have undergone a rigorous review, and access has been further restricted as the ongoing investigation continues.
The challenge with breaches like the one that impacted Epsilon is that it did not involve payment card information, therefore there are no rules such as the Payment Card Industry Data Security Standard (PCI DSS) to really enforce this type of data protection, said Avivah Litan, an analyst with Gartner.
That is not the case with the latest breach reported in Texas. According to the office of the Texas Comptroller of Public Accounts, personal information from 3.5 million Texans was exposed due to a server being publicly accessible over the net. The data, which was unencrypted, included social security numbers, names, mailing addresses and other information. In a statement, the Comptroller’s office explained the information was in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS).
“The data files transferred by those agencies were not encrypted as required by Texas administrative rules established for agencies,” the comptroller office said in a statement. “In addition to that, personnel in the Comptroller’s office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures. The mistake was discovered the afternoon of March 31, at which time the agency began to seal off public access to the files.”
The agency has contacted law enforcement, and plans to begin sending letters to victims April 13.
“I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location,” said Texas Comptroller Susan Combs, in a statement. “We take information security very seriously and this type of exposure will not happen again.”
The PCI Data Security Standard, Litan said, provides good guidelines as to how to protect sensitive data. For example, steps that should be taken include network segmentation so that sensitive data is walled off, data obfuscation or encryption for sensitive data, strong access controls for privileged accounts that have access to the sensitive data, monitoring activity around sensitive data access and making sure access is blocked on suspect transactions.
“I think that standard can be used to set some ground rules as to what is essential when it comes to protecting sensitive information,” she said.