We recently discussed the steps you should take when handling cyber threats, but now we turn our attention to things you definitely shouldn’t do. Based on recent history, it’s a lesson organisations desperately need. It’s hard to imagine things getting any more embarrassing after disclosing a data breach, but news stories of bungles, cover-ups, denials and dismissals prove that things really can go from bad to worse.
Don’t cover up the incident
When organisations are breached, affected individuals have a right to know. It enables them to take steps to keep their data secure, or, at the very least, mitigate any damage. That’s why most cyber security regulations – including the EU General Data Protection Regulation (GDPR) – require breaches to be disclosed promptly.
But that doesn’t always stop organisations covering up breaches. Uber is one of the most recent examples. In November 2017, it was revealed that the transport app company paid criminal hackers $100,000 (about £75,000) to delete personal data of its customers and drivers.
The stolen data included the names, email addresses and phone numbers of 50 million Uber customers as well as the personal information of about 7 million drivers – 600,000 of whom also had their driver’s licence numbers exposed.
Uber filed the payment as a ‘bug bounty’, ignored its legal requirement to disclose the breach and only admitted its error when Bloomberg discovered the cover-up.
The irony is that the public’s response to the story focused on the cover-up more than the breach itself. We’re getting used to the idea that data breaches are inevitable, and all the public and regulators expect is for breached organisations to identify them promptly and react responsibly.
Don’t create your own cyber attack
This one seems obvious – yet the AA got into all sorts of problems last year when thousands of its members received an email telling them that their passwords had been changed. Customers justifiably assumed this meant that their accounts had been breached, and contacted the organisation on social media.
The AA responded by tweeting: “We’re aware an email has been sent to members re password change Please don’t ring the number in the email. We’re looking into this urgently”.
Thousands of customers rushed to log in to the AA’s site to find out more, but the sudden spike in traffic overloaded servers, effectively causing a denial-of-service condition, which, in turn, prompted customers to believe that criminals had indeed hacked the AA.
And all because of an erroneous email. Well, not exactly; it turns out there was another layer to this story…
Don’t pretend like nothing’s happened
A few hours after its site crashed, the AA sent a follow-up tweet: “The email was sent by us, but in error. Your password hasn’t been changed, and your data remains secure. Sorry for any confusion.”
Except there was a data breach. Cyber security researcher Troy Hunt said that a follower had “notified [the AA] about 13GB of exposed DB backups” two months earlier. This was confirmed by Hunt’s Have I been pwned website and Motherboard.
In a statement issued to Motherboard, the AA said: “We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017.” It claimed that the issue was fixed on 25 April.
However, given the similarity to the earlier incident and the AA’s surreptitious response, you wonder if the two episodes were connected. Regardless, many experts were concerned by the fact that the AA repeatedly covered up the breach and left its customers in the dark. In an email to Motherboard, Hunt said:
“The most infuriating aspect of this incident is that the AA knew they’d left the data exposed, they knew it had been located by at least one unauthorised party and they knew that a six figure number of customers had been impacted, but they consciously elected to keep it quiet and not notify anyone.”
Incidents like this are far from rare, with toy manufacturer Spiral Toys providing another example. When its products were found to allow anyone in the vicinity to send and receive audio messages captured by the Internet-connected devices, the organisation said it was a “very minimal issue”.
Cyber security researcher Paul Stone demonstrated how easily the vulnerability – which reportedly exposed 2.2 million voice recordings and customers’ personal data – could be exploited, but Spiral Toys insisted that there was no direct evidence that the information got into the hands of criminal hackers.
The organisation, which was already in dire straits, faced a strong backlash. It later admitted fault and vowed to improve its security features, but fresh concerns have recently been raised.
Although these stories would indicate otherwise, data breach response doesn’t have to be hard. All organisations need to do is understand that breaches happen, be ready for when they strike and be honest about what’s happened and what they plan to do.
An incident response plan (IRP) covers everything that organisations should do when disaster hits, and an effective plan will tailor your response according to the type of disruption. For example, your priorities and course of action will be substantially different when hit by a phishing attack as opposed to, say, a power outage.
You can learn more about this topic by enrolling on our Incident Response Management Foundation Training Course.
This one-day course covers everything you need to know to detect, analyse and respond to a variety of threats. An expert practitioner will guide you through:
- The role of the incident response team;
- Formulating an IRP;
- Incident scenarios for common attack vectors; and
- The ways in which an IRP helps you comply with the GDPR and the Network and Information Systems (NIS) Regulations 2018.