Data Breaches – It’s not if. It’s when!
Written on September 13, 2022. 10 days later, Optus. Some years ago, I was purchasing a new road bike, all carbon fibre and unobtainium. The bike shop owner also talked me into a new helmet. His sales pitch was “you’ll need this for when, not if, you come off.” He was not wrong. I did, eventually, come off. Big time. Bruised ego, road rash, broken ribs, but a fully intact head. Which is more than I can say for the seriously cracked helmet. In a world where everyone is collecting data on everyone else – even the taco sellers want you to order, and pay, via their App – it really is a case of when data security is breached, not if. The pandemic and the ubiquity of the QR code has resulted in a flood of service providers driving customers online and onto Apps to execute transactions, most of which require input of personal and credit card details. What could possibly go wrong? The answer is, quite a lot. In many cases the collected data is stored, and payment processed, by third parties. Another link in a chain of custody of sensitive information. Are you certain that the data you are collecting, or that is being collected on your behalf, is secure? Other than general reassurances about security protocols and systems in place (most of which is indecipherable technical jargon) what tangible security measures are in place, particularly at the weakest points, being where your staff or contractors physically enter or access data? Of the last four crisis management tasks we have been asked to assist with, three have been data breaches. Managing a data breach is a complex task. Not only do the data security experts need to track down and plug the leak but a wide range of stakeholders, from customers to regulatory authorities to business partners and the media, all need to be sensitively communicated with and reassured that matters are (hopefully) in hand. That requires a set of skills that are not usually held by day-to-day operating staff. Taking two important steps will help in navigating the challenges presented. • First, assume it will happen to you and develop and rehearse a crisis management plan. • Second, immediately you become aware of a potential breach, call in your crisis team, made up of key internal and critical external technical, communication and legal support, to work on responses and reputational protection. The damage that can be done to corporate reputation by slow and inadequate response can be fatal. Even if the breach originated due to a failure within your organisation, if you move quickly, decisively and appropriately, you stand a good chance of minimising the damage, to you and to your customers. In an interconnected world where online security is continually being tested by bad actors, everyone understands that challenges may arise. It is how you respond that will determine whether you retain or lose trust. The best way to ensure you respond effectively is to be prepared. Get a data breach crisis plan together, engage the necessary external support and rehearse. When it does happen, move quickly to bring that team to the multifaceted task of fixing the breach, communicating with stakeholders and interested parties and rebuilding the trust that every business relies on. RMK+Associates has long experience in preparing for and managing corporate crises, including numerous data breach incidents. We have long-standing partnerships with data security experts, we have comprehensive stakeholder management skills, and we can work closely with clients’ legal counsel to prepare for and respond to serious data breach events. Are you ready? Just in case you think we may be overstating the risk, here are only a few examples of recent cases that have created chaos: Optus Huge data breach. Up to 10 million customers impacted. Optus first suggests customers should use the My Optus App to find out what is going on. Massive fail! CEO comes out next day with an almost tearful apology and promises of further restorative action, but still can’t specify what happened or how they will fix it. Uber Hacker gains access to all internal system through phishing attack. All Uber email systems and team online tools shut down for an extend period. A 2016 attack stole the details of 57 million driver and rider accounts. Uber paid $US100,000 ransom to have the copies deleted and kept the breach secret for over a year. Uber’s then security chief charged with failure to disclose the breach to regulators and is currently on trial. APT Travel Group Attack takes down all booking systems and compromises data. Company refuses to confirm that it paid a seven-figure ransom to unlock its systems and recover data. DoorDash Phishing attack exposes customer data including partial payment details. Company has to cut off access to some third-party vendors and re-engineer its security protocols International Committee of The Red Cross Hackers gain access to personal data of more than 510,000 people worldwide. ICRC did not detect the breach for 70 days. Impacted servers taken offline for an extended period. Compromised data not recovered. Toll Group Suffers two attacks in one year, shutting down various elements of their online customer services and compromising customer data. Attackers demand a ransom, Toll refuses, endures weeks of disruption. |