It’s not the breach that will kill you, but your response to it

Another week, another high-profile data breach and another Chief Security Officer has lost his job as a result. In September it was the CIO and CSO of US credit rating agency Equifax. This week it is the Chief Security Officer of taxi mobile app giant Uber who has been fired following the revelation of a significant data breach at the company back in October 2016.

The Equifax breach involved the penetration of its US dispute portal web application by hackers, who then stole personal data belonging to some 143 million US citizens, including social security numbers and dates of birth.

In the Uber breach, hackers obtained login credentials allowing them to access data stored Uber’s Amazon Web Services account. They stole personal data belonging to 57 million Uber users, including names, email addresses and phone numbers, as well as the driver’s licence numbers of about 600,000 drivers in the United States.

The common factor to both incidents is that, although the breaches themselves were very damaging, this was not what led to the information security officers being sacked. No system in the world is 100% secure against a cyber breach. Even if your corporate security is watertight, one of your employees will eventually let you down through negligence or malice. That is why a data breach of itself is usually forgivable.

What is not forgivable is a corporate response that fails to conform to regulatory standards and fails to alert the victims (by which I mean the individuals whose information has been stolen) so that they can take action to protect themselves against identity theft.

Equifax took six weeks to notify customers after they first discovered the breach. Uber have taken 12 months and their first response was allegedly to pay the hackers $100,000 to return the information and keep quiet about the breach. They also failed to encrypt the data in storage, so there was nothing to prevent the hackers from misusing it.

The actions of security officers in both companies have almost certainly opened their employer up to regulatory fines and civil lawsuits by their customers and employees for failure to protect their data and exposing them to having their identities stolen. Uber’s CEO, Dara Khosrowshahi, has confirmed that the CSO, along with a second employee, were fired because of the response to the data breach rather than the breach itself.

Crises Control provides a compliance reporting tool that will enable you to put in place formal notification reporting policies, notify employees and customers of a breach, and also generate an audit trail of your actions in case of later investigation.

Crises Control will make sure that your corporate response to any data breach meets regulatory requirements, such as under the EU GDPR. The new GDPR regulations require organisations to be better prepared, quicker in responding, educate staff in cyber awareness and ensure that they execute data their breach processes efficiently. GDPR breach fines are so great that for some businesses it could mean “lights out”.

Take action to put your response plan in place now, before a data breach takes place and avoid the fate of the information security teams at Equifax and Uber.