How to prepare for an unconventional data breach

Oct. 26, 2015
Organizations need to look beyond the protection of personal financial records

The fact that hackers are no longer motivated solely by financial gain should not come as a surprise to anyone. Today, all data shared online is valuable as cybercriminals may target a business for the purpose of extortion or simply to cause harm. While in these cases customers are not always the primary target, they can often be affected as collateral damage when their information is exposed in a data breach.

There is no better example of this than the recent highly publicized Ashley Madison attack, which received significant attention due to the hacker’s extortion attempt and the personal and potentially embarrassing nature of the customer information that was exposed. While hackers indicated their motivation was to shut down the business itself, the resulting exposure of its client database caused customers to suffer personal harm with an aspect of their private lives exposed to the public. Unlike other incidents that have revealed personally identifiable information that could lead to financial fraud, such as credit card numbers or username and passwords, in this case the mere public association with the company is potentially harmful to its customers.

As a result, any company that stores customer records should take note of this evolution in cyberattacks when assessing the types of data they store and be prepared for increased privacy expectations from customers.  That means security managers need to do more than protect just customer financial records alone, and they should consider updating their incident response plans to account for more unconventional types of data breaches.

Re-evaluate Data Security

One of the biggest steps companies can take to prepare for an unconventional cyberattack is practicing good data hygiene. While most companies understand the need to secure records with intrinsic value like credit card information, they should also take a close look at securing other records that may at first blush seem less valuable – even email exchanges that could be used against the organization or customers in the event of a data breach.

As a best practice, IT security teams should ensure they segment all data and delete outdated records in a timely manner. Other good data management practices include implementing multi-factor authentication and comprehensive data encryption. From a data collection and customer privacy standpoint, companies should limit the amount of information they collect to what is needed for the business. Having unnecessary data on file only increases the chance for added liability should a data breach occur.

The importance of securing all customer information is underscored by the recent FTC case against Wyndham Worldwide, in which the federal courts ruled in favor of the FTC’s accusation that Wyndham failed to effectively safeguard customer data. Even if a company only collects usernames and email addresses from customers, if it does not take proper steps to secure that data, the FTC now has the authority to penalize them.

Educate Employees

In addition to hardening IT security, companies need to focus more on educating employees. Cyberattacks exploiting human mistakes are extremely common, yet research shows a majority of businesses are not often doing their due diligence to adequately address the issue. To put it in perspective, approximately 80 percent of the data breaches Experian has serviced had a root cause in employee negligence, however only 54 percent of businesses report having privacy and data protection awareness training for employees and other stakeholders who have access to personal information. Every company should have clearly defined and consistently communicated policies for all aspects of their organization’s data management. Make sure to restrict access to sensitive data to only those employees who truly require it in order to do their jobs, and employ multiple layers of verification to ensure the only people accessing the data are those authorized to do so.

Update the Incident Response Plan

Ideally, companies are already auditing their incident response plan on a semi-annual basis to ensure they are accounting for emerging risks and any changes in the type of data they are collecting. As part of this process, risk management teams should work to update the response plan to reflect new types of non-payment card data breaches that are emerging and the various types of information that could be lost. Companies can also take cues from how industry peers have handled data breaches and prepare for a similar scenario.

Prioritize Customer Communication

As with any data breach, effectively communicating with customers after a security incident is critical to maintaining trust and mitigating the resulting impact on brand reputation. In an event like Ashley Madison where potentially embarrassing customer information is leaked, companies should consciously think of ways to conduct notifications in a way that will help and not add more harm. Consider having a call center available for concerned customers to address questions while maintaining their anonymity.

The impact of malicious data breaches where hackers target companies for harm or extortion has the potential of causing significantly more damage than a traditional payment card breach, and are harder to resolve. As more data breaches like these occur, we can expect a rise in customers’ awareness about online privacy and security practices and continued pressure from regulators to secure data. It is imperative that companies be prepared to respond to any type of security incident, and rethink the traditional nature of breaches because the unexpected should be the expected.

About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president of Experian Data Breach Resolution. A veteran with more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the on the Medical Identity Fraud Alliance (MIFA) Steering Committee, Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.