Upmarket Chinese restaurant chain PF Chang's became the latest prominent company to have its name linked with a data breach and stolen customer information. According to a report by KrebsOnSecurity, information from "thousands of newly stolen credit and debit cards" linked to the restaurant were discovered for sale on the black-market website rescator.so this week.
There was a time when incidents like this, involving the theft of data from a prominent firm, were capable of shocking the public and sending corporate managers and public relations departments into a tizzy. No longer -- last year saw the largest ever number of data breaches, with 2,164 incidents that exposed 822 million records, according to a report by the firm Risk Based Security.
Breaches and data theft have become the new normal, to the point where a data breach etiquette has developed -- a set of best practices that set the pros apart from the flailers. Any company that wants to avoid making the situation worse should observe these nine rules.
Data breach rule No. 1: Disclose sooner rather than later
The biggest mistake that organizations make is to sit on evidence of a security incident, only to have word of spread by way of a third party. Auction giant eBay recently found itself in hot water with the press, the public, and state Attorneys General when it was revealed that the company knew about a security incident in which employee accounts were compromised for months prior to going public. In contrast, music streaming service Spotify won praise for making a public announcement after it found evidence that a single user account had been compromised via a mobile application. The moral: If you have good reason to believe that a security incident has occurred in which data was lost, disclose it as soon as you can. You can always update customers, regulators, and the public as new information becomes available.
Data breach rule No. 2: Tell the whole truth
It's natural for companies who suffer an incident to practice damage control. Unfortunately, some companies take this to mean playing fast and loose with the facts. That's a bad idea for several reasons. For one thing, the facts often speak for themselves: Incidents like the breach at Target Brands, which first came to light in December, are often driven by the discovery of stolen data online or by ongoing investigations by credit card issuers and banks. Companies that try to downplay news of a cyber incident soon find themselves being undercut by leaks and revelations from outside sources. In other words, say what you know (and what you don't know) and take your lumps.
Data breach rule No. 3: Get your crypto straight
Were those stolen passwords encrypted or hashed -- or neither? In the heat of a security incident, the specifics of the technology your company used to secure its data may seem like a small and irrelevant detail, but it's not. The software giant Adobe Systems was roundly criticized when it was discovered that passwords for 2.9 million customer accounts were encrypted, rather than hashed and salted in accordance with industry best practice. The difference may seem trivial, but Adobe's use of Triple DES encryption to protect the passwords made it more likely that the actual values could be retrieved by thieves.