When a breach happens - how you handle it can make all the difference.The actions of the CEOs and the executive teams both during and in the aftermath of a breach are of critical importance. We’ve zoomed into the most prominent breaches from the past year and have scrutinized how leadership dealt with these events.
Since our earlier blog post on the topic, both the frequency and the business impact of data breaches has increased exponentially. In the US alone, 1,244 data breaches were reported in 2018, amounting to over 446.5 million exposed records.
Below, we analyzed the best and the worst responses to breaches in 2018 with the following criteria in mind:
- Public acknowledgment
- Accountability and transparency
- Plan to rectify the breach
The Best Response of 2018: Omer Deutsch, CISO at MyHeritage
If there was a textbook-worthy example of how to handle a breach - this is it. On June 4, MyHeritage announced that a data breach in which the email addresses and passwords of 92.3 million of its users were leaked.
Quick and targeted communication: Immediately following the discovery of the breach, all the relevant information was posted on the website, with regular updates available at the company's blog. The announcements detailed what happened, what data has been affected, and what measures have been taken to mitigate the impact.
Users were provided with actionable instructions on what to do to protect their accounts.
In addition, Deutsch's team created a customer service response team available 24 hours a day, by email or by phone.
Segregating sensitive data: Family tree and DNA data were stored on isolated systems, separate from those that store the email addresses with added layers of security.
Force-expire all passwords: On June 5, Deutsch's team began a process to force-expire all MyHeritage passwords.
Upgrading authentication measures: Immediately following the breach, the company has expedited development of a planned, but optional, two-factor authentication feature.
The Runner Up: MyFitnessPal
On March 25, 2018, Under Armour announced that the data from some 150 million MyFitnessPal app accounts were compromised. Based on the number of records compromised, this was one of the top five breaches to date.
Lightning Fast Detection And Disclosure: On average, companies take about 197 days to identify and 69 days to contain a breach. Under Armour, however, not only discovered but also publicly disclosed the breach in under a week. That's laudable - remember that Uber took over a year to disclose the breach.
Segmenting user data: We have to give Under Armour credit for keeping their crown jewels - sensitive data such as birthdays, location information as well as credit card and payment data segmented enough to protect it from getting exposed.
Requiring Password Resets: Under Armour instructed users to change their passwords immediately.
Not salting hashes and using SHA-1: While most of the leaked passwords were encrypted with a bcrypt - a relatively strong password hashing mechanism, a significant portion of the passwords were protected with a significantly weaker 160-bit hashing function, SHA-1. When it is known that the better option exists, there is no excuse for storing credentials using insecure hashing algorithms.
Downplaying the impact: Regardless of what happened next, millions of users personal data was still compromised. Even though more sensitive data such as birth dates, and social security numbers were left intact, the leaked credentials could be a serious problem for people who reuse passwords across multiple websites.
The Worst Response of 2018- Steve Hardigree, CEO at Exactis
A Florida based marketing and data aggregation firm specializing in mining and acquiring user data was responsible for one of the worst breaches to date. With over 340 million records exposed, the Exactis leak dwarfs the Equifax breach in size and is only second to the Yahoo hack of 2013.
Irresponsibly collecting and storing user data: Although the records did not include social security or credit card numbers, the depth of data exposed is truly terrifying.
According to Wired, every single one of 340 million exposed records had over 400 data points, including sensitive information such as phone numbers, addresses, political preferences, purchasing and browsing data, number and age of children and more.
Unsecured server...do we need to say more?: The difference between the Exactis data breach and most others is that hacking wasn't even involved. The data was left wide open on an unsecured server without even the most basic security safeguards.
In 2018 - the very year that data privacy was making headlines, with Mark Zuckerberg facing the Congress and the GDPR coming to force, the fact that Exactis was handling sensitive user data with such blatant irresponsibility is mind-boggling.
No public disclosure: The breach exposed the data of hundreds of millions of American adults, as well as millions of businesses. Yet, when it was made public by third parties, Exactis CEO made no public statement on the affair.
Deflecting responsibility: When Steve Hardigree, Exactis's CEO finally made a public statement, he stated that "According to log reports there was no breach," completely ignoring the possibility that this personal information could be utilized by threat actors to run targeted phishing campaigns and social engineering schemes. At the time of writing, the company is (rightfully, in our opinion) facing a class action lawsuit.
So what we can learn from the best and the worst responses of 2018?
- Address the situation and disclose quickly- come forward as soon as you learn about the breach. The longer you wait, the worse the public backlash will be.
- Determine the public reaction by analyzing your social media chatter - be proactive, not reactive when addressing customers' concerns on social media
- Train employees on how to respond to customers to regain trust - your customers must feel that you have their back, especially in the event of the breach.
- Improve support with smart digital capabilities - set up chat, SMS and phone support for concerned customers
- Implement new cyber strategies - internal awareness on the actions required in the event of a breach is paramount
- Create a response plan - prepare in advance, once the breach hits it is too late already
Given how many high-profile data breaches are happening all around us and the extent of the damage that they have caused over the years, it's critical for CEOs to prepare for post-incident response in ways that limit the potential fallout.
When a breach hits - time is of the essence. That is why we have created a template for a post-incident presentation that can come in handy in the aftermath.