How to Handle A Data Breach

To a modern business, a data breach can have devastating effects. We have seen TalkTalk hastily bungle, Sage coyly dawdle and much more generally mess it up, it’s got to change. We don’t spend all day hunting these elusive beasts either, but we have had our involvement in both mentioned breaches and feel we could offer some public insight to the very elusive modern mishap.

We urgently want change. Our motivations aren’t always clear to everyone as we put pen to paper on some of the biggest breach events but let me reiterate one more time, it is not about bashing household brands, it’s not about gaining notoriety, it is not for personal gain.

“We desire to disrupt the cyber crime industry, we want to reduce digital crime of all kinds, we want to secure businesses and people alike. We put this goal above profit, public opinion and sometimes our own safety.”

Few seem to be truly doing this in the Information Security industry, most opting for a quick buck from a new idea or product. The whole industry is a mess. Sure if you listen to a few vendor talks they will show some impressive statistics and you might temporarily feel a little safer but in reality, cybercrime rises year on year. There is only so much a small company can do to reduce these colossal figures, so occasionally we call on the media to help us shine a spotlight on the issues we think need addressing. It’s a little like chucking an angry pitchfork mob at a situation that needs the delicacy of a fine seamstress, but often it’s all we have.  I have prepared some key points that will be relevant should you find this post in the hours after discovering a breach at your FTSE 500 organisation. Please listen!

High-Level Advice

  1. Money – Cash moves everything around us and your company has a legal responsibility to do what is in the best interests of your shareholders. We understand this, we don’t agree with it, but we do genuinely acknowledge the world isn’t all about free love and mutual co-operation. Your data breach is going to negatively effect your brand and subsequently your shareholders if you mismanage it. You could try to bury the whole event and pretend it didn’t happen – this could work! But in modern times there is just so many ways in which it would come out. The odds of hiding a data breach are worse each year and if the media get hold of this and it’s evident to the ever growing tech-savvy public that you acted in this shady manner – simply watch your share price fall because you deserve it. You can minimise this fall by simply handling the event like professionals from the start. You can even make it pay! Barclays sole intention is to make money but look at all they do to secure people, they offer advice, advertising campaigns promoting current frauds, they go above and beyond in securing their customers. Are Barclays really a big ole’ friendly company after all? Of course not, they are just wise enough to see the potential in being conscientious. Adopt a similar attitude and make security pay, there is nothing wrong with this.
  2. Ethics – When we talk of data breaches in information security we talk of rows of data, the amount of records, databases and the like. It’s all very clinical. Victims of frauds then report these instances to Action Fraud and in turn, they talk about them as ‘reported incidents’ THESE ARE PEOPLE! Whilst you debate a breach in your boardroom you should undo the distance we have created in this respect. It might only be 1 row of a spreadsheet, but to a criminal that is a potential victim. It could be a pensioner about to be relieved of her life savings or a child that is now open to an online attack.
  3. Incident Handlers – You don’t need them. They come in at times of need with their flash suits and ridiculously high fees. Telling you to lock down communications, advising you in how to spin the event to your customers. Their sole aim is to get as much money out of your company at a time of need and you pay them handsomely… You sustain this lie because it’s the done thing. They issue a little statement on your behalf “our customers are our biggest priority” and communicate “We are sorry and are doing all we can to rectify the matter” and then they leave. The figures a year later don’t matter to them, they have been paid and have an extensive contract. Your customers and brand you’ve worked hard to build deserve more. Instead, you should call upon the resources you have in your organisation, your own PR people, your own technicians, the police. If you need a specialist then by all means get one to consult for you but this should never cost more than £3000 a day. If it does you are falling for the illusion that this misfit bunch of vultures are better than the passionate people that do this ‘hands on’ for a living.

The Basics

  1. The second you spot a breach, call the police and call the Information Commissioners Office. They keep information confidential, you can always contact them later and advise of the situation as it changes. It is essential they know what you know as soon as possible.
  2. Quantify it, analyse it, define what happened. Get your senior IT technicians together and ask for their input. If early indicators point to a serious event – call in a forensics outfit that is trained and experienced in dealing with an examination and can feed into the investigation, collating evidence as they go. You need to quickly assess what has happened, who is affected and what data has gone where.
  3. Create a project plan that pulls together timeframes of investigations, police involvement, board member briefings etc
  4. Release a notification to your customers promptly. Include the findings of your initial investigation and make sure it is clear and not misleading. It should include advice on what they need to do in the interim period whilst they wait for your next release of information. Give customers a clear timeframe of when the next statement will be.
  5. Normally the second briefing will be the final one and made available to the public, so make sure it contains everything. The amount of records affected, the type of data that has been lost, advice for customers that doesn’t solely rely on passing them to action fraud and the ICO’s page. This is your time to shine. Include genuine help at this point and more than an apology. Refunds, credit monitoring, bespoke specialist advice created for your breach, the improvements you intend to make.

This guide is not a comprehensive guide. If your incident response situation relies on reading this blog and acting on its words, you are already underprepared and almost sure to fail. But I hope the contents will be observed and the points mentioned will be noted and fed into your organisations handling procedures. Data breaches are a case of when not if and eventually over time we will remove the taboo associated with the dreaded data breach, paving the way for transparency and openness to the benefit of the millions of people in the UK affected by frauds every year.