Eight Ways to Prevent Data Breaches
Perimeter CTO Kevin Prince has kindly offered up several tips for preventing a data breach.
Odds are pretty good that sooner or later your company is going to be the victim of an attack. When that breach happens, do you have a plan in place on how you will deal with the customers whose personal and financial information was compromised? If you have a plan for response, good for you. Now, have you taken a good look at that plan and the third-party vendors you may be using to make sure you are getting the message across to your customers in a manner that instills confidence and trust in your company? Have you even thought about that?
I had the chance to speak with Harry Sverdlove, CTO of Bit9, about his experience as one of the 1.5 million people who had credit-card information compromised in the recent Global Payments breach (Sverdlove also wrote a blog on the incident). His story is a good example to companies on how not to interact with your customer base during such a crisis. Sverdlove knew how to react and what questions to ask along the way because he works in the security industry, an advantage that most of your customers will not have.
First is how Sverdlove found out about the Global Payments breach - he read about it on Brian Krebs' Krebs on Security blog. He said to me:
Initially, I was not told my credit card had been compromised. I called my bank after my card was declined. First I was told that my purchase was flagged as being "suspicious" (even though it is right near my home address, and I had used the card at that same address just a few hours earlier). After pushing the agent on the phone harder to explain "suspicious", she made reference to a "security breach" that I may have heard about in the news recently. When I realized the connection, I said "so basically every transaction I make now is considered suspicious because my card has been compromised", to which she replied "Yes."
During that conversation, Sverdlove had no idea what information about him had been potentially stolen, and the customer service representative would not be able to provide those details. A tip for businesses is to make sure flagged accounts have more detail as to why they are flagged. If it has to do with a compromised account, a trained employee could explain what data was compromised and what the next steps the company would be taking to remedy the situation. That's an important detail because, Sverdlove explained, when he hung up the phone with the bank, this happened:
I received a call from a "Blocked" phone number. The person identified themselves as calling from "Fraud Protection Services" or something utterly generic sounding like that, and asked me for the last 4 digits of my Visa credit card number. They did not call me by name, nor did they identify the bank institution that issued my card. Were it not for the timing of this, I would have hung up the phone immediately-the first thing we warn consumers about after a data breach is the possibility that other criminals will use such news as an opportunity to capture even more victims.
Instead of offering anything, I told the person to tell me everything he knows about my account. After all, he called me. I waited until he named my banking institution, my full name, and my home address and only then we had a very nice conversation. It turned out that this was a legitimate phone call, and they were clearly quick to respond, based on my previous call to the bank. It is just unfortunate, and actually bad, that this third-party institution does not take simple steps to avoid acting essentially the same as a criminal might.
Would other customers think to do this, especially if they were already in a panic because they had just found out their credit card was included in a major breach? While in this case the call was legitimate, scammers use this technique to prey on innocent consumers, and there was the potential for thieves stealing even more personal information.
Too often, companies will do only what is required by law - but no person should ever have to learn that they may have been the victim of a breach through a website or by watching the evening news. Sverdlove's story can provide companies the opportunity to take a hard look at the way they respond to customers after an attack.
Your customers aren't experts in how to react or behave. It is your responsibility to walk them through the process, especially if you want them to remain your customers.