Attacks/Breaches
6/17/2011
01:01 PM
50%
50%

How Fast Should Companies Come Clean On Breaches?

Disclosing them too quickly can compromise investigations, security experts warn.

Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?

The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.

Sony Network Entertainment president Tim Schaaff, who oversees both the business and technical aspects of the Sony PlayStation Network and Qriocity services, detailed how an attack "unprecedented in its size and scope" compromised both of those services, as well as Sony Online Entertainment, resulting in more than 100 million exposed user accounts. But Schaaff told the hearing that Sony waited only three days to notify customers after discovering the first breaches, on April 19. (Of course, Sony's troubles haven't stopped there. The day of Schaaff's testimony, the LulzSec hacking group released details from 150,000 Sony Pictures website user accounts, and more hacks have followed.)

Meanwhile, Epsilon's general counsel, Jeanette Fitzgerald, provided more details about the breach of its email marketing platform that put millions of customers of more than 50 major companies--including Best Buy, Citibank, and Verizon--at risk from spear phishing. In terms of response time, Fitzgerald said her company detected the breach of its email platform on March 30, notified the Secret Service on April 1, and issued a public warning on the same day.

In contrast, Honda Canada (not present at the hearing) suffered a data breach in March but waited until May to inform customers. One reader speculated in a recent story comment, "Honda took their time to figure out how to protect themselves before considering the impact on their customers!" A lawsuit by Canadian consumers affected by the breach likewise alleges that Honda didn't move in a timely manner.

During the hearing, chaired by Rep. Mary Bono Mack (R-Calif.), legislators appeared to be grappling with the question of how quickly businesses should notify customers after a security breach. According to Reuters, legislation proposed by Mack would require mandatory data breach notifications. The bill is now being tweaked after criticisms that it isn't rigorous enough.

The issue: The current version of the bill requires companies to notify law enforcement agencies within 48 hours of discovering they've been breached, and stipulates that consumers would then have to be notified after the resulting investigation concludes. Realistically, that could span many months. Revisions to the bill, however, might cap the consumer notification grace period at 60 days after a breach is discovered, said a senior policy adviser to Mack.

What's the optimal time for notifying consumers when their data has been breached? It's easy to say Honda moved too slowly, or that Epsilon and Sony did right by moving quickly. But there aren't any pat answers.

As part of the House hearing, Sony's Schaaff cautioned against mandating timelines. "Laws--and common sense--provide for companies to investigate breaches, gather the facts, and then report data losses publicly," he said. "If you reverse that order--issuing vague or speculative statements before you have specific and reliable information--you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."

In cases involving negligence (such as a lost USB drive), affected organizations should come clean quickly, but after cyber attacks, before going public "you want to have conducted your investigation thoroughly," says data breach expert Larry Ponemon, chairman and founder of the Ponemon Institute. "It's better to be slow and surgical rather than fast and inaccurate." Such inaccuracies often result in organizations having to continually revise estimates of breach severity.

Ponemon cites Sony as an example of what not to do. "In the Sony breach, based on my sources, it's very likely that when they discovered the data breach, they were still being attacked by the cyber criminals," he says. "So you don't want to announce the breach, because you want to get a better handle on who's attacking you."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0657
Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.