Attacks/Breaches
6/17/2011
01:01 PM
Connect Directly
RSS
E-Mail
50%
50%

How Fast Should Companies Come Clean On Breaches?

Disclosing them too quickly can compromise investigations, security experts warn.

Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?

The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.

Sony Network Entertainment president Tim Schaaff, who oversees both the business and technical aspects of the Sony PlayStation Network and Qriocity services, detailed how an attack "unprecedented in its size and scope" compromised both of those services, as well as Sony Online Entertainment, resulting in more than 100 million exposed user accounts. But Schaaff told the hearing that Sony waited only three days to notify customers after discovering the first breaches, on April 19. (Of course, Sony's troubles haven't stopped there. The day of Schaaff's testimony, the LulzSec hacking group released details from 150,000 Sony Pictures website user accounts, and more hacks have followed.)

Meanwhile, Epsilon's general counsel, Jeanette Fitzgerald, provided more details about the breach of its email marketing platform that put millions of customers of more than 50 major companies--including Best Buy, Citibank, and Verizon--at risk from spear phishing. In terms of response time, Fitzgerald said her company detected the breach of its email platform on March 30, notified the Secret Service on April 1, and issued a public warning on the same day.

In contrast, Honda Canada (not present at the hearing) suffered a data breach in March but waited until May to inform customers. One reader speculated in a recent story comment, "Honda took their time to figure out how to protect themselves before considering the impact on their customers!" A lawsuit by Canadian consumers affected by the breach likewise alleges that Honda didn't move in a timely manner.

During the hearing, chaired by Rep. Mary Bono Mack (R-Calif.), legislators appeared to be grappling with the question of how quickly businesses should notify customers after a security breach. According to Reuters, legislation proposed by Mack would require mandatory data breach notifications. The bill is now being tweaked after criticisms that it isn't rigorous enough.

The issue: The current version of the bill requires companies to notify law enforcement agencies within 48 hours of discovering they've been breached, and stipulates that consumers would then have to be notified after the resulting investigation concludes. Realistically, that could span many months. Revisions to the bill, however, might cap the consumer notification grace period at 60 days after a breach is discovered, said a senior policy adviser to Mack.

What's the optimal time for notifying consumers when their data has been breached? It's easy to say Honda moved too slowly, or that Epsilon and Sony did right by moving quickly. But there aren't any pat answers.

As part of the House hearing, Sony's Schaaff cautioned against mandating timelines. "Laws--and common sense--provide for companies to investigate breaches, gather the facts, and then report data losses publicly," he said. "If you reverse that order--issuing vague or speculative statements before you have specific and reliable information--you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."

In cases involving negligence (such as a lost USB drive), affected organizations should come clean quickly, but after cyber attacks, before going public "you want to have conducted your investigation thoroughly," says data breach expert Larry Ponemon, chairman and founder of the Ponemon Institute. "It's better to be slow and surgical rather than fast and inaccurate." Such inaccuracies often result in organizations having to continually revise estimates of breach severity.

Ponemon cites Sony as an example of what not to do. "In the Sony breach, based on my sources, it's very likely that when they discovered the data breach, they were still being attacked by the cyber criminals," he says. "So you don't want to announce the breach, because you want to get a better handle on who's attacking you."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4907
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

CVE-2014-4908
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.