An important and often mandatory step in the incident response process is notifying your customers and the general public that an attack has transpired. There are important considerations when taking such an action. After all, there are some mistakes you should absolutely never make – missteps that can cost your business its reputation, and get you into hot water with consumers, the hacking community or legal and regulatory authorities.
Over the last year, companies such as Facebook, Fatface, Mobikwik, SolarWinds and Ubiquiti have all faced accusations of mishandling certain aspects of their incident notification. SC Media asked experts in the field what they believe are some of the biggest unforced errors you can make when it comes to notification no-nos. Here is a sampling.
Revealing too little… or too much, too soon. “Expectations around how corporate America responds to and communicates around data breaches has evolved significantly over the past two decades,” said T.J. Winick, senior vice president at strategic communications firm Solomon McCown & Cence. “Today’s consumers expect quick notification and a company’s full transparency around the breach: how it occurred, what data was exposed or vulnerable, how long the breach lasted, what is being done to shore up cybersecurity defenses so that it never happens again and, critically, live human beings who can answer anxious customer questions in real time over the phone, live-chat or email.”
And yet, breached companies must find the right middle ground between giving their affected customers base nothing to go on and supplying an overabundance of information, especially if the investigation is still ongoing and the facts of the case are still hazy. Providing the wrong information can be just as bad as no information at all.
“You want to communicate in a timely fashion with the stakeholders and that's… your potentially impacted business partners, it's your consumers if you have a consumer base, it's the regulators,” said Ann Marie Mortimer, managing partner and co-head of commercial litigation practice at Hunton Andrews Kurth LLP, responding to a question posed by SC Media during an RSA panel session last month. “And the clock starts running right from the moment you become aware of a breach.”
On the other hand, “the competing or counterbalance pressure is you want to be accurate in those communications – because you lose credibility and sometimes you overstate or understate the incident if you're working on limited information.”
And while Mortimer said there’s no one-size-fits all answer, she did offer a recommendation: “Don't delay in too long before responding, but try to get some information to make sure you feel relatively certain,” she said. “And then in the communication, be transparent about the fact that the facts are continuing to evolve, so leave yourself some room if different facts develop. But timeliness, accuracy and transparency are key rules when communicating with your stakeholders.”
Scapegoating. Companies trying to deflect culpability off of themselves sometimes end up casting the blame on a very specific party when the problem was actually more systematic. For instance, furing Congressional testimony following the supply chain attack on SolarWinds’ IT management platform Orion, the company’s CEO Sudhakar Ramakrishna blamed an intern for creating a weak FTP server password and leaking it on GitHub. Later at the RSA Conference he expressed regret for this tactic, noting at the RSA conference that it was “not appropriate” and “not what we are about.”
“When a data breach is discovered, the heat is on the IS/IT department(s) and, in many organizations, there is a culture of blame,” said Winick. For instance, Winick cited a 2017 New York Post article that suggested credit rating company Equifax had blamed its software vendor for a major breach, “thus violating another crisis communications commandment of ‘Be accountable.’” Since hiring its current CISO Jamil Farshchi, however, the firm has placed a stronger emphasis on fortifying its own internal security hygiene.
To avoid playing the blame game, Winick recommended that breached companies seek the advice of external consultants who can look at the situation with no bias. “Hiring outside experts is helpful in dealing with such a culture in that they can provide a level of objectivity internal stakeholders will not possess. Third-party forensic, legal and communications consultants will not have an issue delivering hard truths to a CEO who may need to hear them from those other than those advisors he/she is used to hearing from on a daily basis. This contrasts sharply with work settings where the C-suite rallies around their digital leaders in a time of crisis.”
Nonchalance/downplaying the incident. When an organization is attacked, members of user base wants to feel like their welfare is top of mind. Sometimes, however, a business offers very little in the way of comfort, helpful information or restitution.
“What does ‘going through the motions’ look like when it comes to a data breach response? A simple, pro forma apology, a free comprehensive package of identity theft protection and credit file monitoring, and a public statement weeks or months after the breach is discovered,” said Winick. “While this often occurs so the company in question can get their house in order, it does nothing to endear their brand to victims of the breach or to other loyal customers.”
But even worse is when the company makes dismisses or downplays reports of a breach’s severity. In one recent case, Indian company MobiKwik went as far as to publicly deride the findings of a security researcher who found 8.2 terabytes of user data on the dark web – the result of a data breach.
"A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention," MobiKwik tweeted. "We thoroughly investigated his allegations and did not find any security lapses. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company."
But The Hacker News reported that users cast doubt on this claim after finding their personal details on a MobiKwik India data leak site.
"Never *ever* behave like @MobiKwik has…" wrote Troy Hunt, security researcher and creator of breach notification tool Have I Been Pwned, tweeted, calling out MobiKwik's handling of the situation.
Also, last March, Krebs on Security reported that a breach disclosed last January by IoT device vendor Ubiquiti was far worse than the company had indicated publicly. According to the blog post, a whistleblower with insider information “massively downplayed a catastrophic incident to minimize the hit to its stock price.” Later, Ubiquiti would post on its user forum that its security experts identified “no evidence that customer information was accessed, or even targeted.”
But in a letter to the European Data Protection Supervisor, the whistleblower reportedly said the breach “was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world [were] at risk.”
Delaying notification or failing to notify at all. Nobody wants to deliver bad news, but a lack of transparency often only delays the inevitable. Or worse, it allows someone else, like the media or the attackers, to control the message, instead of the business itself.
For instance, Facebook has been under criticism for its decision not to individually notify roughly 530 million of its users whose personal data ended up in a publicly posted database after the information was scraped in a breach that occurred prior to August 2019. Reportedly, Facebook said it was not confident which customers it would specifically have to notify and added that the vulnerability that enabled the data scraping has since been fixed anyway.
In general, a company “shouldn’t be the one to judge whether the type of information accessed merits notifying clients/customers/users about the breach. They have a right to know. Period. As stewards of their customers’ personal information, companies have an obligation to protect that information and to inform customers when it has been breached,” said Winick. “If your organization doesn’t speak or issue a public statement to drive the narrative in the aftermath of a breach, others will: including regulators, cybersecurity experts, and your competitors.”
Uber, of course, was responsible one of the most infamous examples of non-disclosure that ultimately came to light and was exposed. The company’s former CSO Joe Sullivan was criminally charged by the DOJ last August after an alleged breach coverup that involved Uber paying off two hackers who breached the transportation service’s database and exfiltrated user and driver data.
“Regulators and law enforcement rightfully – and increasingly – view companies struck by a cyberattack as victims; but… that view quickly changes when companies fail to be transparent,” said Michael Bahar, chair of Eversheds Sutherland’s cybersecurity practice. “A bad day becomes a terrible year if companies fail to report something they should have reported and are found out – which is typically just a matter of time.”
“To borrow from the U.S. Navy Flight Manual, when experiencing cybersecurity problems, maintain the high ground, be transparent, and do not needlessly expend capital. These are the keys to maximizing your chances of coming through with minimal damage. Failing to do any one of these, including by not reporting something you should have, maximizes your chances of disaster,” Bahar continued. “If you have to ask the question whether to notify, it is probably better to notify… There will certainly be times when a data security incident falls below reporting thresholds, whether because the risk of harm is low, or because the numbers of individuals affected are below the minimum. But the closer the call, the more likely the regulator will see it the other way if you don’t report.”
Asking consumers to keep details confidential, not to sue. UK-based retailer Fatface last March notified customers of a “sophisticated criminal attack,” uncovered two months earlier, that may have accessed customer data. But the letter contained an unusual request: “Please do keep this email and the information included strictly private and confidential.”
Larry Parnell, director of the strategic public affairs program at George Washington University, told SC Media that a strategy of telling people not to discuss being the victim of a crime would likely only accomplish the opposite, especially because the brevity of the request, without providing any reasoning or instruction, would likely be viewed by customers as suspicious.
“The right thing to do, perhaps the difficult thing to do, is as soon as you become aware of the breach to notify the public and your customers. Trying to pretend it didn’t happen or ask people not to talk about it, is going to look like a cover-up,” he said.
Meanwhile, Equifax after its breach had what many other consumers considered to be an unreasonable request: “Consumers actually had to waive their right to sue Equifax as part of a class action lawsuit just to check and see if their data was stolen,” through a website that the company had provided, Winick recalled. But if companies want to be looked at as customer-friendly, they shouldn’t be asking for such sacrifices in exchange for informing their own users if they were affected.
Additional reporting by Joe Uchill.