How NOT to Handle a Data Breach (With Examples)

It seems that every day another fortune 500 company falls victim to a huge data breach; thrusting their poor cybersecurity policies and practices into the spotlight. Whilst the prevalence of breaches is very worrying, there are some lessons that can be learnt from the mistakes of others.

Some of the biggest data breaches of the last few years affecting the most reputable companies have yielded major faux pas in how to prepare for and handle the aftermath of the event. In this article we will go through just a few high-profile data breach events and determine what lessons you can draw from them so that you don’t fall into the same traps.

Equifax Makes Things Worse

Sometimes there’s nothing you can do to prevent a major breach from taking place. If you become a target for hackers, it’s likely they will work out a way past your defenses. However, by not reacting and handling the situation in the correct way, you can make matters so much worse – as Equifax proved.

In 2017, Equifax reported on a catastrophic data breach they suffered that affected the personal information of over 143 million Americans (just under half the population!). The attack was a targeted one and the data affected included social security numbers, email addresses, names, dates or birth and much more.

Attackers reportedly caused the breach by exploiting a vulnerability in Apache Struts in May 2017. This was a vulnerability that Equifax had failed to fix, despite Apache Stuts being released a few months prior to the attack. Equifax failed to notice the breach until July 29, 2017.

The way that this breach was handled by Equifax did nothing to redeem themselves to the public or to their customers in particular. Initially they completely underestimated the scale of the leak when they first announced it to the public, having to go back later and add millions more to the final figure. They would also have to then announce another breach on their South American site.

The resulting fallout from the way this breach was handled serves as a warning to companies that they better get visibility into their data and create strict data breach reporting procedures.

Uber Being Dishonest

Towards the end of 2016, hackers went to Uber and informed them that they had acquired the personal information of more than 57 million customers and employees – including their driver’s licenses, email addresses, names and more. Uber, in its infinite wisdom, decided to hide this from the public.

It only went public when Uber’s board of directors began to investigate their own security team for a completely different issue. In doing this they discovered the hush money that Uber paid to the attackers and it all kicked off.

You should NEVER hide the fact that you were the victims of an attack, particularly when customer data is affected. It will always become public sooner or later. In fact, reporting the breach immediately can have positive benefits, as the subsequent investigation can help to plug gaps in security.

Get Ahead of the Attack

Obviously, the goal is to not be the victim of an attack in the first place. The best way to do this is to deploy a security solution that focusses on protecting the data first. Such solutions are known as Data-Centric Audit & Protection (DCAP) Solutions. They will enable you to locate where your sensitive data is, determine who has access to it, and spot changes being made that could potentially lead to catastrophic data breaches.

However, as the above attacks prove, if you’re a target there’s often not much you can do to prevent an attack from taking place. So you best make sure you have the policies and procedures in place to react appropriately and quickly. If you can’t prove that you did everything in your power to prevent and react to the attack, you risk critically damaging your reputation and bottom line.