You thought you had done everything you needed to protect your business but your company ultimately fell victim to a data breach. You’re not the first and DEFINITELY not the last. However, it isn’t always necessarily the data breach that sends a company underwater, it typically falls in the hands of how a company handles communication with its clients post-breach. We’re all someone’s customer and are at risk of having our personal information mishandled.
Q: What is a data breach?
A: A data breach is when the information being stored is compromised to the public, often by an attacker. This can include credit card information, confidential PII (personally identifiable information), social security numbers and so much more. Data is more valuable than ever and protecting your customer’s information is critical to keeping your business running. Besides patching the data breach vulnerability, business management needs to act quickly to inform its customers
Q: What should I do first?
A: Like mentioned before, PATCH THE EXPLOIT! Once that exploit is no longer usable as far as you can tell, you need to assess the damage and assess for possible unknown damage. If your IT staff is not confident in being able to determine this, you might want to bring in a specialist in Network and Data forensics to assess what could have been compromised. Any data that was possibly touched should be checked to see if it was being stored encrypted, or in plain text. If it was encrypted, you might still be in safe waters. Anything that was visible or accessed needs to be reported to the customer. Many businesses choose to not inform their clients about the information in a data breach, this will only make the damage much worse for the long run. Once the information becomes public, the customers will ask how someone got ahold of this information. Possible investigators can get involved and eventually… it will lead right back to your business. Not informing someone about their compromised information can lead to heavy lawsuits. Millions and millions of dollars in lawsuits are being lost to a company like Equifax due to their data breach and lack of informing their clients.
Q: What if my data was encrypted at the time of the attack?
A: It depends on what level of encryption or hashing you were using to store the data. Lots of software tools allow easy decryption of low-level encrypted files. Consider upgrading your encryption difficulty as a preemptive strike against any possible attackers. If you can crack your encryption with a basic paste and translate decryption tool, an attacker can too.
Q: How do I inform my clients?
A: Honesty is key when it comes to handling customer relationships. Even if their data that was stolen was heavily encrypted you should still warn customers that their information might have been compromised. State that the information may have been accessed through an exploit and that exploit was patched. Inform them that their data was encrypted at the time of the breach, but they should still take precautions like changing passwords that match up. If you avoid informing your customers on what was accessed by an attacker, you’re starting to tread into murky legal water. It is better to practice transparency and give clients the opportunity to better protect themselves.
This is the 8th part of an 8-part series. To learn more about cybersecurity and safe practices, check out the links below:
Phishing
Safe Internet Browsing
Social Engineering
Safe Passwords and Security
IoT + BYOD
Rogue Access Points
Penetration Testing
What to Do After a Data Breach
This Q&A concludes our Cyber Summer Series. If you have any further questions, you can reach our cyber expert, Ian Wustrau at ian.wustrau@hvtdc.org. We hope you took away some new, safer practices from reading our series. Feel free to share with your friends, family, or colleagues that could benefit from implementing some of these user practices!