How not to handle a data breach

Data Breach

It’s not often that a week goes by these days without a company revealing news of a data breach involving its customers. Partly this is down to the implementation of new legislation including GDPR which means breaches have to be made public within a specific timescale. But this doesn’t mean that companies are going about disclosing breaches in the best way.

Online retailer Amazon sparked worries among its customers a couple of weeks ago [1] by sending out an email to some of them. This essentially said that there had been a disclosure of information, but that everything was all right and there was nothing to worry about. Naturally many people who received this found it less than reassuring.

By contrast this week, question and answer platform Quora revealed that a breach that may have compromised its users. [2] It also emailed customers but the message set out full details as to what information may have been leaked and when. The company also reset the passwords of all those customers who may have been affected by the breach.

Full disclosure

The difference between these approaches is clear. While Amazon left customers wondering what had happened and scrabbling around on internet forums to look for information, Quora’s full disclosure made it easy to understand the situation and what action they needed to take.

You can argue that these are very different organisations, but retailers who are likely to hold information about payment methods should be faster to reassure their customers when a breach takes place.

In the wake of any breach, customers of the affected firm are likely to become the target of phishing attacks. Any other accounts on which they may have used the same password also become vulnerable. Knowing what information has been leaked is therefore important to allow people to adequately protect themselves.

Doing it right

So, what should companies do when confronted with a data breach? The first thing is to ensure that you comply with the law. Under GDPR, breaches need to be reported to the ICO [3] within 72 hours of being discovered. Failure to do so will make you liable to a fine. It’s also important to notify affected individuals as soon as possible.

You need to understand what constitutes a reportable event too. According to the ICO, this can also be accidental deletion of data internally, for example, not just unauthorised disclosure to third parties.

The first step in preparing for a breach, however, actually needs to take place before it happens. Businesses need to conduct an audit of what data they hold. They also need to have a plan in place to handle a breach. Rather than firefighting the problem after it’s happened, if you have prepared in advance, know who is in charge of the situation and what steps need to be taken, you will be much better equipped to make an effective response.

Taking a step further back, it’s also worth looking at how your data is secured. Information such as passwords and payment card details need to be encrypted so that even if it falls into the wrong hands, it can’t be used.

Making sure that login to your site is secure is essential too. Enforcing password rules so that there’s a minimum length and a variety of characters, for example. In addition, many companies are turning to the use of multi-factor authentication systems to ensure that logins are safe even if a password is compromised.

There is a right way and a wrong way to deal with data breaches, but if you can, it’s better to ensure your data is properly protected in the first place.

Cloudworks can help prevent data breaches by protecting your identities and users. If you’d like to know more – please call us on 0115 824 8244 or email us at hello@cloudworks.co.uk

[1] https://betanews.com/2018/11/21/amazon-discloses-names-and-addreses/
[2] https://www.infosecurity-magazine.com/news/quora-breach-hits-100-million/
[3] https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/