Established companies like LinkedIn, Tumblr and MySpace are being run through the mill because of old security breaches that recently surfaced on the web. From a victim’s perspective, mitigation starts with a password reset, but what’s happening on the corporate side? How should companies react in full breach era to clean up the mess and regain clients’ credibility?
The first-24 hours-checklist includes a series of mandatory actions: documenting everything about the breach, alerting the response team, securing the premises for forensic analysis and notifying law enforcement. But one of the first challenges a company faces is to determine if the data originates from the company.
Here are five questions each affected company should know how to answer when it comes to data.
Is the data legitimate?
When someone, journalist or hacker, comes to you with a batch of emails and passwords presumably from your database, you need to verify its authenticity through various means. An email and password may come from any of various online sources, but the first step is to check if one of the disclosed email addresses exists in your database.
Secondly, look for publicly unknown record IDs, identifiers and time stamps created by your internal systems to vet the data dump. To try to estimate when the initial intrusion occurred, you can select a batch of customers and kindly ask them to confirm their publicly disclosed passwords, as some free online services do.
How much is the data actually worth?
Pinning down what exactly has been stolen is crucial in understanding the seriousness of the breach. For instance, names and home addresses are less sensitive than email addresses and dates of birth, and incomparably less valuable than payment card data or Social Security numbers.
For instance, 165 million LinkedIn accounts were on sale on black markets for only $2.2k, a suspiciously low amount for credentials of high-profile professionals whose contacts are on LinkedIn. Why would someone sell them for only a few cents each? Are they bogus or simply not worthy enough for identity theft purposes?
Have I taken all the precautionary measures to properly secure it?
A tough question that requires a sincere answer. Very strong cryptographically hashed passwords are near useless to a hacker, but not all companies use the latest encryption protocols. It seems LinkedIn was using raw SHA1 for password hashing, so hackers could find out passwords by churning out their hashes one after the other using modern password-cracking software.
Do we have the right guidance for our staff for the data we hold?
As we are regularly seeing, insider threats are the root cause of many severe data loss incidents. To prevent them, data governance policies and appropriate user training are critical. Your business will review the data it holds - see what data is accessed or stored by third parties and how sensitive is the customer information you hold.
Guidance also regulates who will be responsible for the data when things go wrong and what procedures employees must follow in case of a breach.
Do I need to notify affected customers?
Breach concealment is not an option, yet not all breaches require notification. If your data was encrypted or an unauthorized employee accidentally accessed but didn’t misuse the data, you may not be forced to notify customers. Be sure to seek legal advice before deciding to forgo notification.