Expert do's and don'ts for dealing with data breaches
- 11 September, 2007 17:56
Organizations that experience data breaches must move quickly to assuage the fears of their constituents and go beyond expectations to address the situations effectively, according to those most familiar with the incidents.
Speaking at the ongoing Security Standard Conference in Chicago, a pair of experts offered advice for handling situations where sensitive user or customer data is lost or stolen, and examined the missteps taken by retailer TJX Companies in handling its now-notorious credit card information theft.
First to the podium was David Escalante, director of computer policy and security at Boston College, which in March 2005 experienced a break in to a server containing sensitive alumni fund-raising information.
By addressing the situation head-on and moving to inform anyone whose data may have been exposed in the incident -- which was ultimately blamed on a third-party IT services provider that managed the affected system -- Escalante said BC was able to minimize the impact of the event and quickly move on.
"This was probably the low point of my career," said Escalante. "But while it was a bad thing to have happen, it seemed at the time that we were doing the right things to handle it, and I'm glad to say that turned out to be the case."
Less than two weeks after BC discovered the breach, the school had assembled a comprehensive incident response plan and had mailed out 100,000 warning letters to anyone whose data may have been stored in the system.
By aggressively seeking to communicate with its constituents, including setting up phone lines on which its alumni could call and complain about the issue, the school was able to move past the situation and better prepare for any future breach events, he said.
Among the tips that Escalante offered for managing such a crisis was to huddle different organizational officials "like a football team" and loop in everyone from the school's public relations department to its campus police force and IT management groups.
By creating a cross-organizational strategy to handle different aspects of the breach, the administrator said, the school was able to assemble the right mix of people to work on different tasks -- from applying computer forensics to study aspects of the breach itself to aligning the right mix of leadership to oversee the entire response process.
At the same time, it was crucial to establish separation of duties early in the game, Escalante said.
"It's good to keep your upper management separate from your response team because they can get in the way. You want management involved, but you don't want them focusing on every little issue," said Escalante. "At the same time by bringing together a diverse response team, IT and security didn't have to coordinate every issue for themselves."
In addition to seeking legal help from its attorneys, the school was able to communicate effectively with law enforcement officials investigating the incident since BC had already familiarized itself with those people before the breach. On the flip side, when Tufts University experienced a similar issue, administrators at the school called Escalante to seek his advice as they didn't know what to expect from law enforcement agencies, he said.
Overall, Escalante said organizations should go slightly overboard to impress on their constituents how serious they feel the problem is and how they can help to fix any related problems.
"Put the people whose data is lost up front. If you don't tell them and apologize, it will hurt more in the end," Escalante said.
Addressing the problematic breach response of TJX Companies, a Framingham, Mass.-based retailer that reported in March 2007 that over 45.6 million customer credit and debit card numbers were stolen from one of its systems over a period of several years, was Richard Stiennon, a well-known security pundit who currently serves as chief marketing officer at filtering appliance maker Fortinet.
Stiennon said that many people now believe the TJX attacks came from kiosks in the company's stores that were used by job seekers to fill out applications. People who were hacking the company simply applied for jobs at TJX stores and planted programs that could be used to intercept credit card data being transmitted in unencrypted form from point of sale systems in the locations.
Handling sensitive data in such a careless way was the first mistake TJX made, and it had plenty of warning that such attacks could be carried out on point-of-sale systems, the expert contends.
Among the additional mistakes made by TJX was not reporting the incident for months, or even years, after it first discovered the hack, he said, as well as failing to address the situation in public and apologize sufficiently to its customers.
TJX has also refused to share information about the attack publicly to help other companies avoid such incidents, Stiennon said.
"There's been a significant lack of core with TJX's response. They didn't overreact as they probably should have, unlike BC," Stiennon said. "As a result they've become the poster child for data breaches and how not to communicate risk to the rest of the security industry."