With another security incident making recent headlines, we’re looking at five major data loss events in the past month alone. In looking at the responses of Target, Neiman-Marcus, Michaels, Coke and others, companies can learn a lot from how other organizations respond to data breaches – and implement better practices.
This slideshow features five important lessons learned and key takeaways from recent data breaches for businesses that want to protect themselves from similar disasters, as identified by Mark McCurley, senior information security advisor of IDentity Theft 911, a leading provider of personal-touch identity management solutions, identity theft recovery services, breach services and data risk management solutions for businesses.
Click through for five key takeaways from recent data breaches for businesses that want to protect themselves from similar disasters, as identified by Mark McCurley, senior information security advisor of IDentity Theft 911.
Get the word out, pronto
Communicate the problem quickly and clearly. Don’t follow Target’s footsteps. Hackers stole confidential data of up to 110 million customers who shopped at stores from Nov. 27 to Dec. 15, 2013. But instead of proactively announcing the breach, Target got scooped by respected security blogger Brian Krebs, who broke the story on Dec. 18. On the same day, Target CEO Gregg Steinhafel issued the statement that “we are pleased with Target’s holiday performance.” The company confirmed the breach only after the U.S. Secret Service and American Express released their own investigations.
Michaels, on the other hand, took the opposite tactic. The art-and-crafts retailer said it wanted to notify customers of a potential breach “in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers.” The company may avoid PR waves by slipping this news in quickly while the Target and Neiman-Marcus breaches are still being digested.
Send clear messages
Consider communications to potential victims with great care. Target made yet another egregious error by notifying customers of the breach via poorly considered, suspicious-looking email communications. The email included a suspicious sender with the address: [email protected] instead of @target.com. Plus, it directed users to click on a link for additional details on the monitoring. The bizarre “bfi0” in the subdomain suggested nothing official to differentiate it from phishing and malware-laden emails sent by scammers following such corporate data breaches; scammers often make subtle tweaks. Because the notice was delivered via email and since it originated from a suspicious email address, the original message ended up in junk mail boxes.
Have an information security policy — and use it
In Coca-Cola’s case, proper security controls clearly weren’t in place. A former employee responsible for maintaining and disposing of computer equipment kept the old computers that contained the personal information of more than 70,000 employees, as well as corporate data. A solid information security policy would cover the handling, sanitation and disposal of sensitive data. Implementation of proper policies and controls with IT governance oversight can minimize the risk of data leakage caused by the disposal of old computer hardware.
Invest in network defenses
Hackers are working to exploit weaknesses in retailers’ point-of-sale (POS) systems and networks. For example, they’re targeting weak administrative passwords used to manage POS systems remotely and finding clever ways to install malware. Retailers would do well to strengthen those POS systems and networks.
Carefully consider whether to offer free credit monitoring to consumers
When a breach involves payment card information and no Social Security numbers, companies like Target often make the mistake of offering free credit monitoring. They’re trying to reassure consumers, but instead may give them a false sense of security. Credit monitoring looks at changes to a credit file that have been reported to Experian, Equifax or TransUnion. Credit monitoring does not monitor existing credit accounts. So, if a Target customer enrolls in the credit monitoring solution provided by Target, that customer would not be alerted if an existing account — in this case, credit cards and payment cards — was used fraudulently. The only way for Target customers to find out if an existing credit or payment card is misused is by monitoring their payment card accounts for suspicious activity.