5 Lessons In How Not To Handle A Security Breach
Effective Breach Response Hinges On Preparedness
High-profile data security breaches have helped shape data breach notification laws to force businesses to communicate a breach to the public and authorities when personally identifiable information has been exposed. When a crisis takes place and the pressure is on incident response teams, security experts say only the teams that have conducted mock training drills are in prime position to effectively execute a plan. It takes only one misstep to fan the flames, causing further damage to a firms' already tarnished reputation. The following breaches illustrate why a thorough incident response plan is needed and how clear communication of the facts is necessary.
2008: Heartland Payment Systems Breach
There were 134 million credit cards exposed following an attack on Heartland Payment Systems that targeted a Web application vulnerability and eventually gained access to the firms' sensitive systems. Heartland CEO Robert Carr blamed the company's PCI DSS assessors, explaining to reporters that it was compliant six months before the breach. Despite being breached by a common attack technique, Carr blamed credit card companies and the PCI Council. After those missteps, Heartland eventually turned the breach into a win by focusing on encouraging the industry to develop better encryption standards for credit card data. The breach eventually resulted in the arrest and conviction of Albert Gonzales.
2006: TJX Companies Breach
A group of hackers targeted Wi-Fi weaknesses at retailer TJX's stores, using the weak encryption implementation to steal credit card data as it was transferred between stores in Florida. The TJX breach resulted in the exposure of nearly 100 million credit cards. The problem was discovered in December, but the retailer delayed an announcement until Jan. 17, explaining that investigators requested time. Dozens of banks were notified by credit card issuers of the potential for fraud, but the breached firm was withheld. The firm did not encrypt its credit card data. The attack was also attributed to Albert Gonzales and others as part of an international group intent on credit card theft.
2011: Sony PlayStation Breach
Hacktivists broke into the Sony PlayStation Network exposing the personal information on more than 77 million accounts associated with the gaming platform. The Sony network breach occurred in April 2011, and Sony took its gaming network offline for three weeks while a forensics team investigated the scope of the problem. Sony didn't acknowledge the possibility of data loss until April 26. The firm did not confirm the data exposure until May 4. The breach included thousands of unencrypted credit card numbers.
2007: Monster.com
At least 1.3 million job seekers using Monster.com had their personal information stolen and used in the following days in phishing scams related to the breach. The Monster.com breach included addresses, phone numbers and email addresses. Monster Worldwide withheld data for five days while hackers conducted the phishing attacks using the stolen information. Eventually security firms analyzing the phishing scams estimated the extent of the breach and Monster told Reuters that the extent of the data exposure was far worse than the firm anticipated.
2011: Epsilon
Email marketing firm Epsilon became the poster child for third-party data breaches when hackers gained access to millions of customer emails from at least 50 of its clients. Epsilon did not detect the attack until two months after spearphishing email messages reportedly targeted Walgreens customers. The Epsilon breach caused a cascade of announcements from Best Buy, JPMorgan Chase, CitiGroup, L.L. Bean and other firms warning their customers that they could experience phishing scams and spam messages as a result of the breach.