The Right (and Wrong) Way to Respond to a Data Breach

responding to a data breach

With the increased size and frequency of data breaches, it has become apparent that there is a right way and a wrong way to respond to a data breach. While StubHub handled their intrusion well by immediately contacting their affected customers and helping them change their password to secure their account from further unauthorized activity, other companies have not been so diligent.

From taking months before finally announcing the news to not apologizing to customers, let’s take a look at some of the worst responses we’ve seen to data breaches, along with highlighting best practices you can use to make sure your organization handles it correctly.

Target

Over the 2013 holiday season, 40 million credit/debit card numbers and 70 million records (including the names, addresses, e-mail addresses, and phone numbers of shoppers) were stolen from in-store Target purchases.

The hack originated on November 13, and though the network security firm FireEye sent alerts to Target on November 30th and December 2nd, Target did not take action nor was it the first to break the news to the public-- Krebs on Security broke the story a week earlier. After the news broke, customer service lines were jammed for hours and Target’s initial announcement on its website was not prominently displayed.

Most industry analysts agreed that Target did not react well to the breach initially and the consequences were apparent in their most recent earnings report, which estimated the cost of the data breach at $148 million for Q2.

AT&T

Over a two-week period in April of this year, AT&T vendor's employees accessed customer accounts without authorization and retrieved customers’ personal records (including social security numbers and birth dates). It took AT&T two months to disclose the breach via a published message that was not sent to all of its customers. Additionally, AT&T has been unclear about how many customers were affected.

Snapchat

Days after Gibson Security announced a Snapchat security vulnerability, Snapchat was hacked and 4.6 million users’ phone numbers and login credentials were posted online. Although Gibson Security warned Snapchat about the potential breach 4 months before the hack, Snapchat did not do enough to prevent it. When the time came to update users about the hack, Snapchat did not explain whether the vulnerability had been fixed, issue an apology, nor take responsibility for the hack. Instead, Snapchat blamed Gibson Security for “publicly document[ing] our API, making it easier for individuals to abuse our services and violate our Terms of Use”.

eBay

A total of 145 million eBay users were victims of a breach that took place in February/March 2014. Using an internal eBay corporate account, hackers gained access to usernames, e-mail addresses, physical addresses, phone numbers, and dates of birth. eBay’s response?  Dave Kennedy, CEO of security consultancy and breach response firm TrustedSec, considers this “one of the worst responses [he's] seen in the past ten years from a company that’s experienced a breach.” Here’s a list of eBay’s attempts to respond to the breach:

  • Posted a note on its corporate website, ebayinc.com, leaving out many pertinent details.
  • Posted an incomplete alert on PayPal.com (instead of eBay.com), leaving customers confused about which credentials they needed to reset.  Also, the alert only included the words “place holder text”, so many customers didn't know what steps they should take.
  • Finally posted a note on eBay.com, but failed to mention whether financial information had been leaked. Instead of forcing users to change passwords, eBay only asked them to change their password, leaving users vulnerable if they did not see the notification.

The Proper Data Breach Response

So, what are some better ways to handle hacks and security breaches?

  1. Take responsibility and be completely transparent with your users. Communication and immediacy are important to minimizing the damage. 
  2. Make sure customer communications are posted prominently, where customers will see them. 
  3. Increase your customer support efforts so your company can take a proactive approach in helping customers reset passwords and address customer concerns.
  4. Restore trust by communicating security measures your company is implementing to prevent a future data breach.