Attacks/Breaches

6/17/2011
01:01 PM
50%
50%

How Fast Should Companies Come Clean On Breaches?

Disclosing them too quickly can compromise investigations, security experts warn.

Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?

The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.

Sony Network Entertainment president Tim Schaaff, who oversees both the business and technical aspects of the Sony PlayStation Network and Qriocity services, detailed how an attack "unprecedented in its size and scope" compromised both of those services, as well as Sony Online Entertainment, resulting in more than 100 million exposed user accounts. But Schaaff told the hearing that Sony waited only three days to notify customers after discovering the first breaches, on April 19. (Of course, Sony's troubles haven't stopped there. The day of Schaaff's testimony, the LulzSec hacking group released details from 150,000 Sony Pictures website user accounts, and more hacks have followed.)

Meanwhile, Epsilon's general counsel, Jeanette Fitzgerald, provided more details about the breach of its email marketing platform that put millions of customers of more than 50 major companies--including Best Buy, Citibank, and Verizon--at risk from spear phishing. In terms of response time, Fitzgerald said her company detected the breach of its email platform on March 30, notified the Secret Service on April 1, and issued a public warning on the same day.

In contrast, Honda Canada (not present at the hearing) suffered a data breach in March but waited until May to inform customers. One reader speculated in a recent story comment, "Honda took their time to figure out how to protect themselves before considering the impact on their customers!" A lawsuit by Canadian consumers affected by the breach likewise alleges that Honda didn't move in a timely manner.

During the hearing, chaired by Rep. Mary Bono Mack (R-Calif.), legislators appeared to be grappling with the question of how quickly businesses should notify customers after a security breach. According to Reuters, legislation proposed by Mack would require mandatory data breach notifications. The bill is now being tweaked after criticisms that it isn't rigorous enough.

The issue: The current version of the bill requires companies to notify law enforcement agencies within 48 hours of discovering they've been breached, and stipulates that consumers would then have to be notified after the resulting investigation concludes. Realistically, that could span many months. Revisions to the bill, however, might cap the consumer notification grace period at 60 days after a breach is discovered, said a senior policy adviser to Mack.

What's the optimal time for notifying consumers when their data has been breached? It's easy to say Honda moved too slowly, or that Epsilon and Sony did right by moving quickly. But there aren't any pat answers.

As part of the House hearing, Sony's Schaaff cautioned against mandating timelines. "Laws--and common sense--provide for companies to investigate breaches, gather the facts, and then report data losses publicly," he said. "If you reverse that order--issuing vague or speculative statements before you have specific and reliable information--you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."

In cases involving negligence (such as a lost USB drive), affected organizations should come clean quickly, but after cyber attacks, before going public "you want to have conducted your investigation thoroughly," says data breach expert Larry Ponemon, chairman and founder of the Ponemon Institute. "It's better to be slow and surgical rather than fast and inaccurate." Such inaccuracies often result in organizations having to continually revise estimates of breach severity.

Ponemon cites Sony as an example of what not to do. "In the Sony breach, based on my sources, it's very likely that when they discovered the data breach, they were still being attacked by the cyber criminals," he says. "So you don't want to announce the breach, because you want to get a better handle on who's attacking you."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...