In 2017 the number of cybersecurity breaches has continued to grow. The Identity Theft Resource Center (ITRC) recently published an updated report for confirmed data breach notifications impacting U.S. organizations. They reported 1,120 breaches and more than 171 million records exposed. Thus, adding further credibility to warnings from many Cybersecurity professionals that it’s not a matter of IF your organization will be breached but WHEN. With this in mind, I want to point out that HOW your organization handles their response to a breach (known as Incident Response) makes a HUGE difference. Here are a few organizations that I’ve found that handled their breach disclosure well in 2017.
Disqus was the first organization to come on my radar for a well-handled breach notification, per mention on the Smashing Security podcast, hosted by Graham Clueley and Carole Theriault. Within 24 hours of discovery, Discus disclosed their breach to the public and began contacting users and forcing password resets for all affected accounts. According to Carole on Smashing Security, when the breach was first announced on their website, the announcement even held a prominent position on their home page, ensuring that frequent customers would see it and act accordingly.
Their public announcement was posted to their blog, and clearly lays out the information about the breach, including:
• When they were alerted, by whom, and a timeline of events thereafter
• What data existed in the leaked database
• How many users were potentially impacted
• A description of the potential impact for users, and
• An outline of the steps Disqus has and is taking to protect the data moving forwards
• A link for customers to follow to gain more information about protecting themselves from identity theft
• An apology
Despite the large count of potentially impacted users, 17.5 million according to Disqus, the reaction to their public disclosure was largely positive due to their quick response to the incident, in some cases even receiving praise for it.
We Heart It similarly appears to have made a quick and effective response to a breach they learned about from Troy Hunt earlier this year. They posted a notice about the breach within 2 days of being alerted and, according to the notice, began investigating the leak immediately. The public notice is posted in their help center and similarly aims to share relevant information with the public, such as:
• Roughly how many user accounts were impacted
• Confirms the leak and the timeframe of the leak
• Confirms the potentially leaked information
• Addresses weaknesses of the encryption algorithm used and their approach to dealing with the leak
• Recommends that customers change their password
• Offers an apology
Additionally, We Heart It sent emails out to affected users over the weekend immediately following the notification to alert them and recommend that they change their password. Unfortunately, they did not automatically reset users’ passwords on their behalf, leaving the burden on the users themselves. Overall, however, their quick response and notification were well received.
Almost there… SVR Tracking
Although SVR Tracking was quick to lock down their leaked data when Kromtech Security Center notified them on September 20th, their lack of a response either publicly or to Kromtech and other media outlets soon lead to reports that the leaked passwords were encrypted with an outdated encryption algorithm, SHA-1.
As a result, SVR was compelled to respond and explain in their announcement that their encryption algorithms had been updated to the modern encryption algorithm, SHA-256. The lack of an actual apology to customers and partners is disappointing; however, I applaud that the alert is now present on the home page of their website and I’m sure this response will undoubtedly help to restore the narrative and their customer’s faith in the company, if additional information is not extracted from them over time.
Report the news or let the news report on you
I think one of the clearest messages here is that when your organization becomes aware of a breach you need to act fast and be open about it; especially if you are notified by a third-party. Having an Incident Response plan is invaluable at high-stress, fast-response times such as these. Clear communication channels need to be established within your organization prior to an event to provide a focused and effective response. Breach notification laws are gradually spreading across the US, but as I hope I’ve demonstrated here, you WANT to notify your customers quickly, effectively, and accurately. One of the big takeaways from this year’s Equifax breach should be just how BADLY they handled their public response. If you want customers to trust you with their data, you need to be open and honest with them, and you need to back it up with effective action.
Incident Response is not something you can buy a fix for; your plan needs to have a customized approach encompassing the culture of your organization. So, if you don’t yet have an Incident Response plan for your organization, reach out to us here at FRSecure. Our Incident Response team and Security Analysts are helping organizations prepare for the inevitable every day.
Link of the day:
Lastly, I want to refer everyone to this great article by Troy Hunt on preparing for an inevitable breach.