A Tale of Two Breaches

Written by

Peter is having an extremely bad day. As Data Protection Officer (DPO) at a large company, he’s just taken a frantic phone call from the CIO who has informed him of a massive data breach. Details are still very sketchy, but potentially thousands of customer records, including personal data (PD) and payment card data has been compromised – and no-one knows what to do next.
 
The moment Peter puts down the phone, the clock starts ticking. Under the provisions of the EU GDPR he knows that if the information loss is likely to result in risk to individuals’ rights and freedoms, he has just 72 hours to inform the data protection authorities.
 
Peter doesn’t just have to tell the authorities that the company has fallen victim to a successful hack. The GDPR demands that he ideally compiles a detailed report that covers the nature of the breach, details of who has been affected and what kind of data has been compromised, how many records have been affected, the likely consequences, and what measures are being taken to mitigate the breach.

On top of that, he’ll have to inform affected users “without undue delay” if the breach might put EU citizens at high risk, while informing the general public (and press) about the attack and its implications to avoid any potential speculation or rumor.
 
It’s a race against time, but even if Peter foregoes sleep over the next three days, it’s a race he’s going to lose. That’s because the business has neither the plans, processes, people or technology in place to crunch through the thousands of systems and terabytes of data to establish the cause and identify the scale of the breach.
 
Few DPOs can be unaware of the potential fines that could be imposed under the GDPR, which amount to €20m or four per cent of annual turnover. These penalties are not charged as punishment for suffering a breach, but rather for failing to demonstrate that the organization has deployed 
countermeasures appropriate to the risk; used state-of-the-art best practices and tools.
 
What Peter doesn’t know is that the cost goes far beyond the fine itself. The average total cost of a data breach is $3.62 million, comprising detection and escalation, notification, post-breach response, and the biggest single cost – lost reputation and business. One of the risks that is difficult to predict is whether EU citizens can file compensation claims if they have suffered damage as a result. The claims can only be rejected by the organization if they can prove that it “is not in any way responsible for the damage”. 
 
Without the right tools, the organization can neither provide the necessary information to the authorities, nor can it effectively investigate and mitigate the breach; as a result, the cost of this breach will likely run into the millions. Peter will have many more tough days in the weeks and months ahead.
 
The competitor
Unknown to Peter, one of the company’s competitors across town has been hit by exactly the same attack. Unlike them, however, their DPO, Barbara, has planned for this eventuality. Consequently, she has the right systems and procedures in place to spring straight into action the moment she gets the call that marks the beginning of the 72 “golden hours”.
 
Under Barbara’s watch, her business has invested in robust breach detection, investigation and internal reporting procedures. At the heart of this system lies modern log file reporting tools that help determine whether information has been accessed by unauthorized persons, whether the breach is serious enough to report, what kind of data has been exposed and for how long, and how many people have potentially been affected.
 
These tools use machine data which provides all historical information that the business needs to demonstrate that they had appropriate security controls in place, and that they worked proactively to mitigate the risk. Whether it is changes to technical configurations (and who made them), password resets or update history, machine data can be used to document all of these within the short reporting window.
 
The difference
The crucial difference between these businesses is that one has the tools to perform a deep dive into its digital infrastructure and analyze many thousands of systems and terabytes of data. This enables the company to determine and document where data was stored, processed and accessed throughout their environment, and so stop the leakage.
 
Thanks to her suite of analytical tools, Barbara can quickly plough through months of data from any number of systems to get a first estimate on which customers or employees have been affected, how the attackers breached the network and which vulnerability they exploited, what data was accessed, and who processed or accessed information.
 
Machine data analytics can quickly tell you whether there is logon activity associated with an employee who is out-of-office, raising a possible red flag. It can also help mobile device management teams to identify when a new device accesses a system or logs into a VPN, warning them of compromised credentials that could help to prevent data exfiltration. Integrating this capability into the organization’s security information and event management (SIEM) enables Barbara to examine every application and system that is involved in processing personal information.
 
Barbara’s company hasn’t just invested in technology, however. It has also spent time putting the right training and processes in place to ensure that it can effectively respond to a data breach. This includes training for employees, establishing a cadre of “first-responders”, and ingraining the incident response process within the organization’s culture.
 
These processes include guidelines for breach response and provisions for co-ordination between DPO, IT team, communications department, legal and, dependent on severity, the CEO and the board. This means that upon learning about the breach, Barbara can appoint an appropriate incident commander, and knows what actions she must take to stop the data leakage, whether it is taking systems or users off-line, shunting access to certain applications, or creating sink holes.
 
Thanks to Barbara’s effective preparations, her company is able to provide a thorough report to the data protection authorities which demonstrates unequivocally that the company employed the best possible safeguards against attack and is taking the necessary steps to mitigate its impact.
 
Barbara is smart and well-prepared, but she didn’t manage all this on her own. Understanding the complexities of GDPR and the current threat landscape, she worked with her technology partners who helped her develop a system that employs machine data to detect, prevent and investigate breaches, while ensuring that GDPR security controls are enforced.
 
Barbara hasn’t had the best of days either. She knows, however, that she has the technology, processes and training in place to demonstrate that they have fully followed data protection best practices. As a result, the company will not only avoid a massive fine under the GDPR, but will be able to resolve the breach quickly and effectively, with the smallest possible impact on its customers – or its reputation.

What’s hot on Infosecurity Magazine?