Data breaches are on the rise. This year alone, 18 massive companies have faced serious attacks, including Facebook, Panera, and Under Armour. The Panera breach in April exposed 37 million customers’ names, credit card numbers, and more. And 150 million customers’ usernames, email addresses, and passwords leaked in the Under Armour breach. Huge companies are proving to be vulnerable, and it’s creating a vital cultural dialogue about data security practices.
Let’s take a look at three examples of how companies have handled data breaches in the past. One company did all they could, another did the least, and a final company chose not to own up to what happened at all.
The Good: Equifax
In September of 2017, Equifax revealed that an insecure app on their website exposed 143 million users. Social security numbers, birthdates, addresses, and driver’s license numbers leaked. 209,000 consumers also had their credit card data exposed. So how did the company respond?
Locate and alert: They found the leak on July 29 and prevented it from causing any more damage.
Contact external investigation team: Equifax hired a forensics firm to make an inquiry.
Draft company response: The company announced the breach on September 7, a month after detection. All things considered, that’s a remarkable turnaround. The GDPR, which hadn’t yet taken effect, mandates reporting within 72 hours. Louisiana and South Dakota have now set the limit at 60 days, while Arizona and Oregon demand 45.
Notify: Equifax launched a website to extend credit monitoring to those affected. The company also contacted potential victims via USPS with more details.
Follow through: The website is still live, and has released new information throughout 2018.
The repercussions were terrible for consumers and the company. It’s unacceptable for large companies like Equifax to be vulnerable to cyber attacks in this way. But all things considered, Equifax has done the best they can.
The Bad: Chipotle
Chipotle announced on April 25, 2017 that they had detected a data breach in their system from March 24 to April 18. 2,250 locations suffered, leaking credit card numbers, expiration dates, and verification codes. Let’s see how the company reacted to this blunder:
Locate and alert: The company discovered and closed the leak almost immediately. Chipotle removed the malware and immediately began improving security measures.
Contact external investigation team: Security firms, law enforcement, and payment networks assembled.
Draft company response: Chipotle didn’t waste any time, announcing within a week. Whether this was the right call is debatable. On one hand, it shows that they wanted to protect customers ASAP. Yet they hadn’t completed their investigation, meaning they released partial information.
Notify: Like Equifax, they released a tool on their website allowing users to search through affected locations. And while this measure was helpful at the time, it’s not available on the website anymore. Even when it was available, it only let customers see if their local Chipotle got hacked. It didn’t let specific customers know if they were in danger. The company also created a toll-free number for customers to call if they had any questions. That line is no longer in service.
Follow through: This last step is what separates good from bad. Chipotle never announced how many customers faced consequences. In fact, they haven’t sent out any updates since May 2017. They left it completely up to customers to discover any leaks, and then they swept it all under the rug. Since the company doesn’t collect contact info for customers, they were unable to do so. But they could’ve done way more to atone for their mistake.
While Chipotle’s response time was quick, their lack of follow through is unacceptable. They scrubbed all mention of the breach from their website, including the original press release. If a customer became exposed, it was completely up to them to find out. This lack of transparency will need to be a thing of the past if the company wants to succeed. These issues take a while to resolve, and Chipotle should’ve kept their tools available. People who may have missed the news are now completely in the dark.
The Ugly: Uber
At this point, it’s no surprise that Uber has conducted some shady business. The allegations of IP theft, bribery, and sexual misconduct are all true. One scandal in particular, though, is particularly relevant to the topic at hand. A cyber attack in October of 2016 exposed 57 million customers and drivers. After which, the company paid the hackers to delete the stolen information. Names, email addresses and phone numbers leaked, making the potential consequences negligible. Unfortunately a vast number of drivers had their driver’s license numbers stolen. Although these dealings are ugly, let’s analyze their reaction.
Locate and Alert: Former Uber CEO Travis Kalanick learned of the hack in November. Somewhere in that time span, the internal security team took steps to close the loophole. Authorities were not alerted.
Contact external investigation team: The board didn’t commission an investigation until 2017. That’s how the hack, and failure to disclose, reached the public.
Draft company response: Uber released this information to the public in November of 2017.
Notify: Since the hackers erased the data before abusing it, customers were not offered any guidance.
Follow through: There was no follow-through in this case. The number of people involved varies from report to report, and none of those affected received further information.
While this case is very complicated considering the number of scandals Uber was facing, it serves as an example of what not to do. In the world of today, data transparency and security are becoming crucial. To not address a breach is not only tactless, it’s illegal. The Federal Trade Commission is currently busy settling other company violations, but it’s only a matter of time before they’re punished.
It’s important to have an outlined procedure for when these breaches occur in the meantime. When it comes to handling data breaches, there’s a very specific protocol to follow. Here’s a simple breakdown of how a company should act upon confirming a data security risk:
Locate and alert: Contact board members, department heads, shareholders, and the authorities. Work with IT to disconnect breached systems and disable installed viruses or programs.
Contact external investigation team: To avoid bias, the team must be external. They should handle the ongoing investigation.
Draft company statement: This report should get out ASAP. After relaying the basic details, it should defer to the vendor handling inquiries. They company should also provide access to credit reports and counselors.
Notify: Here’s the bombshell press release. The company needs to inform consumers and business partners ASAP.
Follow through: This is what separates the good from the bad. Ensure that all affected parties receive help.
Upon reviewing these cases, it’s evident that there are different ways to react to a data breach. Some companies go the extra mile like Equifax, and some sweep it under the rug like Uber. But in 2018, we’re seeing a rise in data breaches and an intolerance for improper handling of said breaches. And that intolerance isn’t only from consumers, it’s from state governments around the country. California passed the California Consumer Privacy Act (CCPA) this year, which enforces strict repercussions. Colorado and Vermont have passed similar laws. As of September, all 50 states have enacted breach notification rules. These big companies are easing into compliance, but consumers ought to keep a close eye. It’s crucial to get familiar with the data privacy policies these companies currently use. Until federal legislation passes, it’s up to consumers to remain vigilant.Published on October 9, 2018