Kudos to the hacked business that comes clean in a clear and timely manner to enable data breach victims to protect themselves.
The most recent example of that comes from kiosk manufacturer Avanti Markets, which warned Friday that some of its self-service vending machines, often placed in corporate break rooms, were infected by malware and users' credit and debit cards compromised (see Self-Service Kiosk Maker Avanti Markets Hacked).
"The only way to effectively respond to a breach remains planning and practicing ahead."
In a subsequent data breach notification update on Monday, the firm offered this tentative breach timeline:
- July 2: Malware somehow infected about 1,900 Avanti kiosks.
- July 4: Avanti Markets "discovered a sophisticated malware attack which affected kiosks at some Avanti Markets." The firm says it immediately launched an investigation, which included "retaining a nationally recognized forensic investigation firm." Within hours, responders appear to have contained the malware and begun eradication.
- July 7: Avanti Markets issues its first breach notification, warning that malware on an unspecified number of machines may have compromised payment card data and some users' biometric - fingerprint - data. It urges kiosk users to beware of payment card fraud.
- July 11: Avanti Markets issues an updated breach notification with the latest findings, including this timeline, and the number of affected kiosks. It notes that biometric data was not exposed, and details its efforts, begun in May, to add end-to-end encryption to all of its kiosks.
- Soon: The kiosk maker promises additional investigatory details, including a count of all affected individuals. It also pledges to provide them with prepaid credit monitoring services.
Elapsed time, from detection to the initial notification? Just a few days. Even better, the details being released by the kiosk maker are actionable and thorough, says Raj Samani, chief scientist at anti-virus firm McAfee.
It is a really comprehensive FAQ and the inclusion of credit monitoring is equally a great response https://t.co/Cujz2NHy7f— Raj Samani (@Raj_Samani) July 11, 2017
Fast Response Can Cut Costs
There's a business case for being able to respond clearly and rapidly to breaches, Samani tells me. He cites the "2016 Cost of Data Breach Study" from market researcher Ponemon Institute - sponsored by IBM - which looked at breached businesses globally. On average, a breach costs $158 per record, the firm found. But by Ponemon's reckoning, having an incident-response team lowered the average cost of a breach by $16 per record.
Other "big bang for the buck" moves: widespread use of encryption; sharing of threats and related intelligence; having business continuity management - aka disaster recovery - plans in place; having a CISO; and having board-level interest and involvement in all matters cybersecurity.
Impact of 16 Factors on Per-Record Cost of a Data Breach
For me, the calculated savings are less important than the takeaway that cost-reducing moves are likely signs of organizations that plan ahead. Indeed, having an incident response plan in place and an outside, rapid-response investigation team on call; encrypting sensitive data; and having a CISO is all shorthand for an organization that thinks ahead about cybersecurity.
Such preparation, of course, can help prevent bad things from happening. But when they do, planning ahead will pay dividends, both for helping to contain the problem as well as avoiding public relations nightmares by issuing confused or ill-informed warnings - or none at all.
Apparent Breach Cover-Ups Abound
Unfortunately, being able to give a shout-out to a breached business that's been transparent and forthright in a timely manner is relatively rare.
In recent weeks, businesses such as the AA motoring association in Britain, for example, "consciously elected not to notify subscribers after being alerted to the disclosure of 13 GB worth of publicly accessible database backups back in April," says Australian data breach expert Troy Hunt in a Monday blog post.
Another recent apparent breach that may have affected Indian telecommunications firm Reliance Jio is also leading to confusion. On Sunday, a website called Magicapk.com went online, purportedly allowing anyone to retrieve records for 120 million Reliance Jio users.
The company responded to the potential breach by saying it was investigating the "unverified and unsubstantiated claims," suggesting they were false. "Prima facie, the data appears to be unauthentic," it said in a statement. "We want to assure our subscribers that their data is safe and maintained with highest security."
Users, however, quickly begged to differ, taking to social media and Reddit to confirm that they'd checked their details on Magicapk.com - now offline - and found them to be legitimate.
This Jio data leak is real. Has my data as well. https://t.co/uU9gbBQhuc— Kiran Jonnalagadda (@jackerhack) July 10, 2017
One Reddit poster said the information appeared for sale several months ago on a darknet marketplace - reachable only via the Tor anonymizing browser - called M00n$hine.
Fast Reaction Requires Preparation
The first rule of data breaches, via Hunt, might simply be this: Don't lie, don't spin. Cover-ups will fail, and make whoever is doing the covering up look ethically challenged, to put it nicely.
Instead, give victims what they need to protect themselves. There's no right answer for how quickly an organization should notify victims of a breach. But in general, 30 days seems to be a good benchmark, barring any regulations that might impose other rules (see Data Breach Notifications: What's Optimal Timing?).
The fact that so few firms appear to have a way to rapidly react - even if just to say "we're investigating, we take all potential breaches very seriously, stay tuned for immediate further updates" - can be read as their having failed to prepare. That's despite information security experts warning, for years, that the only way to effectively respond to a breach remains planning and practicing ahead.
I have literally been writing that sentence for more than a decade.
What will it take for more businesses to get with the data breach preparation plan?