Archive · · 4 min read

Another Day, Another Data Breach

Why do all incident response communications from customers feel the same? Why do they all miss the mark? How hard is it to do better?

Another Day, Another Data Breach
[ Another big name breach within a 4 week span. Up now? Staples. More details from Brian Krebs at http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

[ It’s 2-for-1 weekend! Dairy Queen just. More details from Brian Krebs at. admitted to a previous data breach http://krebsonsecurity.com/2014/10/dairy-queen-confirms-breach-at-395-stores/

Please read this post twice. The first time as-is, the second replacing all instances of “Kmart” with “Dairy Queen” ]

Dear [Valued | Trusted | Loyal ] Customer,

Yesterday we discovered a security incident affecting our payment systems. Our IT team detected that our systems had been breached and immediately launched a full scale investigation working with a global leader in forensics.

The initial findings show that the breach started in early [ sometime in the last two years ] but was stopped yesterday. Based on the initial findings, no [ select all data that was kept safe: personal information | PIN numbers | address information | email addresses | usernames | passwords | social security numbers ] were obtained.

It’s important to note that credit companies do not hold cardholders liable for any unauthorized charges if those charges are reported in a timely manner.

Your privacy and security is important to us here at [ Company Name ]. We’re committed to doing everything possible to ensure that your information is safe with us. To further protect you, we’re offering a year of free credit monitoring to any affected customer.

Given the criminal nature of this incident, we are working closely with law enforcement and security experts in this ongoing investigation.

We will strive to keep you up to date as the situation develops. We suggest that you closely monitor your credit statements for any unauthorized transactions and if you see any signs of suspicious activities, please report it immediately to your card issuer.

More guidance is available on our website at [ company URL ] and by calling [ company toll free number ].

Sincerely,

[ Name of Top(ish) Executive ] [ Title of Top(ish) Exceutive ] [ Company Name ]


Does this seem familiar?

That’s because it’s a rough outline of the form letter organizations use in the event a data breach…something that continues to happen with frightening regularity.

This week it was Kmart’s turn. They released an official statement late Friday afternoon informing the public that they had suffered a data breach. This puts Kmart on the list that already includes notables Target and Home Depot.

A quick note to affected customers: take Kmart up on their offer of free credit monitoring. It’s a good step to protect your finances. You’ll also want to monitor your credit card statements and report any abnormal activity to your credit card company immediately.

Don’t just look for large unauthorized transactions. Look for odd transactions of small amounts. Criminals use small transactions as “feelers” to see if the account details are valid.

If you’re unfamiliar with the impact or causes of these types of breaches, you can watch this piece I did on CBC News talking about Home Depot or my friend & colleague, JD Sherry on Fox Business speaking to the Target breach.

When you’re watching the coverage, just replace “Home Depot” or “Target” with “Kmart” or any other flavour of the week.

What’s truly amazing is that all of these breaches all follow the same pattern.

You can expect to see the following 4 public events:

While the details of a PoS breach can be interesting for those of us in the field, they are relatively unremarkable in the larger context of cybercrime.

tl:dr The criminals exploit a weakness or bug in a system to get the data they want.

Why does this keep happening?

Not surprisingly, the answer is complicated but one of the strongest reasons is the lack of motivation by the affected companies.

As it stands now, there is zero liability for the customer. While changing credit card numbers is a hassle, the typical consumer isn’t affected by every public breach. This provides little motivation for an organized push to change the status quo.

Don’t get me wrong, zero liability is the way to go. But we still have to find a motivator for the companies to change.

From the companies perspective, basing a financial decision on a qualitative assessment of the risk is very difficult. Try to justify the staffing another analyst at $87 829 per year (~$132 000 when you factor in the other costs associated with a new employee) because you’re facing a “medium” risk.

It’s much easier to justify the expense of a larger team or new tools if there is a concrete figure you’re trying to avoid paying.

In North America, getting that figure is very difficult. Stock prices fluctuate for any number of reasons and rarely is there a bill directly associated to a data breach beyond the outside forensic consultant and the cost of credit monitoring for affected customers.

And without that figure, it’s hard to make an informed decision on how much to invest in your defences.

That’s why we should be watching the impact from the new European data protection law very closely.

Most of the attention to the new law went to the “ right to be forgotten ” provisions but more interesting than that is the new fine structure for data breaches.

The new law provides data protection regulators with the ability to fine an offending company 100 000 000 EUR or up to (a/k/a revenue) whichever is greater. 5% of their annual global turnover Fines at these levels will get companies attention.

Imagine that Kmart or Target or Home Depot was facing a $100 000 000 fine for a possible data breach. The extra $132 000 for a new analyst doesn’t seem so high now does it?

The way to reduce the frequency of these breaches isn’t a mystery. Follow the basics of good information security practices. Ensure that you have the right products, process, and—above all else—people in place to defend the data your charged with protected. But you need to be motivated to take those steps.

Unfortunately, it’s all too common to have security as an after thought for IT projects or worse, view information security as a “cost centre” for the organization.

Until companies face a real, quantifiable financial impact from a data breach, expect a copy of that form letter at least once a month.

Read next