Attacks/Breaches
6/17/2011
01:01 PM
50%
50%

How Fast Should Companies Come Clean On Breaches?

Disclosing them too quickly can compromise investigations, security experts warn.

Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?

The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.

Sony Network Entertainment president Tim Schaaff, who oversees both the business and technical aspects of the Sony PlayStation Network and Qriocity services, detailed how an attack "unprecedented in its size and scope" compromised both of those services, as well as Sony Online Entertainment, resulting in more than 100 million exposed user accounts. But Schaaff told the hearing that Sony waited only three days to notify customers after discovering the first breaches, on April 19. (Of course, Sony's troubles haven't stopped there. The day of Schaaff's testimony, the LulzSec hacking group released details from 150,000 Sony Pictures website user accounts, and more hacks have followed.)

Meanwhile, Epsilon's general counsel, Jeanette Fitzgerald, provided more details about the breach of its email marketing platform that put millions of customers of more than 50 major companies--including Best Buy, Citibank, and Verizon--at risk from spear phishing. In terms of response time, Fitzgerald said her company detected the breach of its email platform on March 30, notified the Secret Service on April 1, and issued a public warning on the same day.

In contrast, Honda Canada (not present at the hearing) suffered a data breach in March but waited until May to inform customers. One reader speculated in a recent story comment, "Honda took their time to figure out how to protect themselves before considering the impact on their customers!" A lawsuit by Canadian consumers affected by the breach likewise alleges that Honda didn't move in a timely manner.

During the hearing, chaired by Rep. Mary Bono Mack (R-Calif.), legislators appeared to be grappling with the question of how quickly businesses should notify customers after a security breach. According to Reuters, legislation proposed by Mack would require mandatory data breach notifications. The bill is now being tweaked after criticisms that it isn't rigorous enough.

The issue: The current version of the bill requires companies to notify law enforcement agencies within 48 hours of discovering they've been breached, and stipulates that consumers would then have to be notified after the resulting investigation concludes. Realistically, that could span many months. Revisions to the bill, however, might cap the consumer notification grace period at 60 days after a breach is discovered, said a senior policy adviser to Mack.

What's the optimal time for notifying consumers when their data has been breached? It's easy to say Honda moved too slowly, or that Epsilon and Sony did right by moving quickly. But there aren't any pat answers.

As part of the House hearing, Sony's Schaaff cautioned against mandating timelines. "Laws--and common sense--provide for companies to investigate breaches, gather the facts, and then report data losses publicly," he said. "If you reverse that order--issuing vague or speculative statements before you have specific and reliable information--you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."

In cases involving negligence (such as a lost USB drive), affected organizations should come clean quickly, but after cyber attacks, before going public "you want to have conducted your investigation thoroughly," says data breach expert Larry Ponemon, chairman and founder of the Ponemon Institute. "It's better to be slow and surgical rather than fast and inaccurate." Such inaccuracies often result in organizations having to continually revise estimates of breach severity.

Ponemon cites Sony as an example of what not to do. "In the Sony breach, based on my sources, it's very likely that when they discovered the data breach, they were still being attacked by the cyber criminals," he says. "So you don't want to announce the breach, because you want to get a better handle on who's attacking you."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.