mailing list archives
5 Lessons From the Latest Data Breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 3 Feb 2014 18:52:02 -0700
Son of a breach, two more security incidents are making headlines:
Coca-Cola and Michaels Stores.
That means we're looking at four major data loss events in the past few
weeks alone--three at national retailers, including Target and Neiman Marcus.
Companies can learn from how other organizations respond to a data breach,
for better or worse. Here are key takeaways for businesses that want to
protect themselves from similar disasters.
1.Get the Word Out, Pronto
Communicate the problem quickly and clearly. Don't follow Target's
footsteps. Hackers stole confidential data of up to 110 million customers
who shopped at stores from Nov. 27 to Dec. 15, 2013. But instead of
proactively announcing the breach, Target got scooped by respected security
blogger Brian Krebs, who broke the story on Dec. 18. On the same day,
Target CEO Gregg Steinhafel issued the statement that "we are pleased with
Target's holiday performance." The company confirmed the breach only after
the U.S. Secret Service and American Express released their own
Michaels, on the other hand, is taking the opposite tack. Though an
investigation is still underway, the arts-and-crafts retailer confirmed it
was investigating a potential breach immediately after Krebs broke the
news. Michaels said it wanted to notify customers "in light of the widely
reported criminal efforts to penetrate the data systems of U.S. retailers."
The company may avoid PR waves by slipping this news in quickly while the
Target and Neiman Marcus breaches are still being digested. "Michaels could
be taking a page from the Heartland playbook," said Eduard Goodman, chief
privacy officer at IDentity Theft 911, referring to the payment systems
company's breach announcement on the day of President Obama's 2009
2. Send Clear Messages
Consider communications to potential victims with great care. Target made
yet another egregious error by notifying customers of the breach via poorly
considered, suspicious-looking email communications. The email included a
suspicious sender address: TargetNews () target bfi0 com instead of @target.com.
Plus, it directed users to click on a link for additional details on the
monitoring. The bizarre "bfi0" in the subdomain suggested nothing official
to differentiate it from phishing and malware-laden emails sent by scammers
following such corporate data breaches; scammers often make subtle tweaks.
Many people who received the email didn't actually shop at Target during
the compromised dates, which made the email appear even more like a scam.
Because the notice was delivered via email and probably due to the fact
that it originated from a suspicious email address the original message
ended up in many junk mailboxes.
3. Have an Information Security Policy--and Use It
In Coca-Cola's case, proper security controls clearly weren't in place. A
former employee responsible for maintaining and disposing of computer
equipment kept the old computers that contained the personal information of
more than 70,000 employees, as well as corporate data. A solid information
security policy would cover the handling, sanitation and disposal of
sensitive data. Implementation of proper policies and controls with IT
governance oversight can minimize the risk of data leakage caused by the
disposal of old computer hardware.
4. Invest in Network Defenses
Hackers are working to exploit weaknesses in retailers' point-of-service
systems and networks. For example, they're targeting weak administrative
passwords used to manage POS systems remotely and finding clever ways to
install malware. Retailers would do well to strengthen those POS systems
and networks by 1) using strong passwords or two-factor authentication for
POS administrative access and accounts, 2) updating POS software
applications using the latest security patches, 3) restricting outside
access to POS systems from the Internet, and 4) if it isn't required,
disallowing remote access.
5. Carefully Consider Free Credit Monitoring
When a breach involves payment card information and no Social Security
numbers, companies like Target often make the mistake of offering free
credit monitoring. They're trying to reassure consumers but instead may
give them a false sense of security. Credit monitoring looks at changes to
a credit file that have been reported to Experian, Equifax or TransUnion.
Credit monitoring does not monitor existing credit accounts. So, if a
Target customer enrolls in the credit monitoring solution provided by
Target, that customer would not be alerted if an existing account--in this
case credit cards and payment cards--was used fraudulently. The only way for
Target customers to find out if an existing credit or payment card is
misused is by monitoring their payment card accounts for suspicious
Finally, data breach victims should take steps to monitor their identity
and credit, and check with their providers. An insurance company, credit
union or employer is probably already offering this benefit free or at a
very low cost. Check with them to activate the service.
If you want a free way to monitor your credit, the Credit Report Card will
update two of your credit scores for free every month.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- 5 Lessons From the Latest Data Breaches Audrey McNeil (Feb 04)