Monday, July 2, 2012

Handling a Security Breach

It's a tough situation to be in. How do you handle a security breach?

Consider this scenario:
Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think.
Confidential data was stolen...and it was unencrypted. As I was the one with the know-how to bulk-email folks, the task fell to me to prepare the first draft of a contact letter to those affected, identify what procedure needed to be followed, etc. What would you do in light of the situation above?
Here's what I could this process be improved upon?
  1. Move quickly to assess what information has actually been compromised or has the potential to have been compromised. If the data was encrypted, you're under no obligation to divulge that it was "stolen." However, if the information is unencrypted--in a spreadsheet or a text file--then you must proceed to step 2.
  2. Prepare a statement to send to those affected within 24-48 hours of when the loss/theft of confidential data occurred (sample letter appears below). You'll need to advise them of exactly what confidential information was compromised, and, their options to protect against identity theft. Those options are as follows and should be taken as quickly as possible:

    a) Notify the Federal Trade Commission at (877) 438-4338 ( regarding the possibility of identity theft. Phone option #3 provides specific advice on what to do next. b) Place a Fraud Alert: Contact one of the three major credit reporting agencies to complete an automated phone-in fraud alert process. When individuals place a free, seven year fraud alert, that agency will notify the other two agencies. Fraud alerts will then be placed automatically on the individual's accounts at all three agencies.

    Contact information for the credit agencies: Equifax (800) 525-6285; Experian (888) 397-3742; (fraud alert process available online) TransUnion (800) 680-7289; Once individuals receive their credit reports, they should review them for suspicious activity. If individuals see any accounts they did not open or incorrect personal information, contact the credit agency(s) or the individual's local law enforcement agency (e.g. city police department) to file a report of identity theft. c) Call the U.S. Social Security Administration at (800) 772-1213.

    d) Password protect your bank accounts. Work with your bank to have them require the use of a password before any transactions--including withdrawals or deposits--can be made.

    e) Take advantage of these resources for Identity Theft victims; the more informed you are, the better! * Better Business Bureau - * Identity Theft Resource Center -

  3. Establish a clear line of communication with those affected through a web site, via email, snail mail, AND by phone. Leave no stone unturned in making folks aware. Make contact in multiple forms several different times. Surprisingly, some people believe that "It just couldn't have happened to me!" It's your job to make sure they understand the consequences of inaction.

  4. Communicate, communicate, communicate. If you're on the receiving end of angry phone calls for your organization, be sure to acknowledge that it's the organization's fault, accept responsibility (since you are representing the organization) and listen to what they have to say.

    Explain exactly what they need to do to address the issue, and what you're doing to help...but the most important thing you can do is listen to what they have to say. Communicate in this case means listening and responding, understanding their frustration is definitely legitimate.
  5. Schedule several face to face meetings with the folks affected, and offer to cover the cost of the more detailed options available through the credit agencies. Although the credit agencies offer "free" option--although they'll try to get you to pay--if your organization was responsible, then they should be expected to pay for a few months, especially if there is proof that the compromised data has been used.
Re: Stolen Confidential Data
A laptop computer in the ORGANIZATION NAME, which contained personal information for POPULATION AFFECTED, was stolen on DATE. You are receiving this notification because your name, LIST SPECIFIC INFORMATION COMPROMISED HERE were included in the stolen personal information.
The laptop held confidential information. A vehicle was broken into by unknown parties and stolen. It is believed that the perpetrator(s) was targeting the laptop computer, not the personal information it contained. The stolen computer contained information on POPULATION, including their CONFIDENTIAL INFORMATION. The confidential data files were not encrypted at the time of the theft, thus allowing unauthorized use of this data. At present, we are not aware of any misuse of information but will update you on developments in the case they occur.
We were advised that there was a reasonable probability that the crime would be solved quickly and the information recovered. However, we want to make you aware of the potential consequences. To that end, we are taking steps to prevent future incidents of this type.
1. A web site has been developed to give you online access to information at http:// .
2. Require full encryption of all personal information stored on departmental computer systems. We will also require all ORGANIZATIONS to review personal data stored on computer equipment and to remove all unessential data.
3. Conduct an immediate internal audit of how the department handles all personal information. This audit will examine the security of the systems, the policies and practices regarding access and use of such information, and the policies for ensuring that such data are gathered and/or retained only when imperative. We will also examine all procedures for processing data outside the ORGANIZATION.
Should you have any questions or concerns, please do not hesitate to make contact via email or phone at ###-####.
Finally, on a related note, I was surprised to read in a Readers' Digest about how medical information is being stolen and used! I suppose this is what brought all this to mind.

Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

No comments:

Genuine Leadership #4: Gratitude