When a large-scale cybersecurity breach happens to a big company, it makes your newsfeed. Once the crisis has passed, though, the public tends to forget about what happened and, more importantly, why it happened. Cybersecurity breaches are “teaching moments,” and not just for the companies involved who are scrambling to save data, money, and face, and who are cleaning up their cybersecurity mess for years after the incident. All businesses, big and small, can learn from headline-making cybersecurity breaches, tailoring their incident response plans accordingly.
Some of the most significant breaches of the last ten years have taught both businesses, and the cybersecurity industry, some harsh lessons that can now be applied to incident response planning. The following are scenarios taken from the most notable, headline-making cybersecurity breaches of the past decade and the incident response lessons we can learn from them.
Vendor access weakens large department store cybersecurity and incident response
In December 2013, during the busy holiday shopping season a department store chain had a massive cybersecurity breach. The credit and debit card information, as well as contact information, including phone numbers, emails, and addresses, of up to 110 million people were jeopardized. The cybersecurity breach began before Thanksgiving, just in time for Black Friday shopping, but was not discovered until well into December. By then the damage was done.
The large retailer discerned that hackers had gained access, by-passing cybersecurity measures, through a third-party HVAC vendor, to its POS system and payment card reader. The hackers used a smaller vendor to “break into” the retail giant. The large company had overlooked vendor access vulnerability in their cybersecurity incident response planning. In the breach’s aftermath the CIO and CEO both resigned. The damage of the cybersecurity breach tallied at $162 million.
Four years later the retailer was still cleaning up from the cybersecurity breach. In May 2017, the company was given six months to make significant cybersecurity improvements, yet the ordered improvements set a low-security bar. Tom Kellermann, CEO of Strategic Cyber Ventures, described the cybersecurity improvements as a “slap on the wrist.” Kellermann also said it, “represents yesterday’s security paradigm,” since the ordered cybersecurity measures are about keeping attackers out and not focused on the importance of improving incident response.[i]
Cybersecurity Breach Takeaway: A vital part of incident response planning is looking for cybersecurity vulnerabilities outside of your direct network, ensuring that your vendor’s cybersecurity is fortified while paying particular attention to what your vendors can access. Vendors need to be taken into account when building a strong incident response plan.
Biggest breach award-winner
A web-based company wasn’t feeling so celebratory when it discovered that between 2013-2014 it was victim to the largest data breach in history (a record that still stands). Three billion user accounts in total were compromised giving state-sponsored hackers access to user’s real names, email addresses, passwords, birth dates, and telephone numbers.
The breach was ill-timed as the company was in the process of being purchased. The combined breaches knocked approximately $350 million off of their asking price. In addition, the company and the new buyer had to pay regulatory and legal liabilities incurred from the breaches. At one time, the victim company had been valued at $100 billion; the buyer ended up spending the bargain price of only $4.48 billion. The breaches knocked the wind out of that “sale.”
Cybersecurity Breach Takeaway: Breaches are expensive. Really expensive. Quick incident response to the initial attack would have helped to curb the cost.
Messy incident response
A cybersecurity breach drove down a ride-share app’s value. In late 2016, two hackers defeated the company’s cybersecurity measures, obtaining the personal information of 57 million users and the driver license numbers of 600,000 drivers. The hackers gained access to the company’s GitHub account. In the GitHub account, they located the username and password credentials for their cloud account, and from there they could get all the data they wanted. The login credentials had no place being on GitHub. Where to store important username and passwords should have been part of the preparation for their incident response strategy.
From there, the incident response gets really messy. In a cover-up attempt, the company didn’t publicly disclose the breach for a year and paid the hackers $100,000 to destroy the data claiming it was a “bug bounty” fee. There was no way to verify that the hackers did as instructed. Then, the company fired the CSO because of the breach, making him the scapegoat. The breach, and company’s poor handling of it, cost the company in both reputation and money. When the breach was announced, a buyer was in negotiations to claim a stake in the company. Before the breach, the company was valued at $68 billion. By the time the deal closed after the breach the company’s valuation had dropped to $48 billion. Also, in late 2018, the company was required to pay $148 million as a reprimand.[ii]
The company’s “decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, [the company] swept the breach under the rug in deliberate disregard of the law,” California Attorney General Xavier Becerra said.[iii]
Cybersecurity Breach Takeaway: How the company handled the breach is a lesson for other organizations on what not to do. They turned a bad breach into a big, hot mess. First, protect your username and passwords! They are sacred. Second, take smart action, fast. Paying off criminals with no proof of data destruction is not classified as smart action. Once again, cybersecurity breaches are expensive. In this case, a breach cost $20 billion on the sale, plus the $100,000 bribe and later the $148 million in penalties.
Hackers lying in wait before merger
Between 2014 and September 2018 cyber-thieves stole 500 million hotel-chain customers’ data. The cybersecurity breach started with a smaller hotel chain in 2014. This was a slow burn hacking job, with attackers lurking in the smaller hotel’s system until an extensive hotel chain acquired it in 2016. When the two systems merged, the hackers had access to a significantly larger database. It wasn’t until September 2018 that the breach was discovered, giving the hackers access to customer’s names, passport numbers, contact information travel itineraries, and credit card numbers for years.
The New York Times reported, December 2018, that the hackers involved were most likely working on behalf of the Chinese Ministry of State Security, a Communist-controlled civilian spy agency to gather data on US citizens. If this is proven right, this would be the most significant known breach of personal data conducted by a nation-state.[iv]
Cybersecurity Breach Takeaway: First, hackers have become good at hiding and waiting. It grows harder to detect intruders. Diligence must be paid to scanning systems and looking for “dark corners” as part of incident response planning. Also, extra care must be taken in incident response planning, when merging two companies’ networks – especially when absorbing a smaller system into a more extensive operation.
Moral of the story: Have an incident response strategy
The moral of each of these breach stories is that a current, practiced and robust incident response strategy is necessary to combat attacks. The faster a company can implement incident response action, detecting, containing and extinguishing a cybersecurity breach, the less damage they will incur.
Attacks and breaches will happen. The cybersecurity game is constantly changing, and a company’s defence has to be right all of the time, while a hacker only has to be right once. Hackers will keep trying to take your data, and you won’t win every fight. However, if you’ve prepared, if you have a strong incident response strategy, then you will win when it matters most.
Incident response plans begin before a cybersecurity breach happens. The first step of incident response is fortifying your network and evaluating vulnerabilities from end-to-end, making sure you have the most current cybersecurity tools in place. How you deal with the aftermath of a cybersecurity breach, and the public, is also part of incident response planning. You can minimize damages and costs by proactively investing in incident response planning so that you’re prepared. Incident response plans are paramount to good business and will help to keep your company from making headlines with a cybersecurity breach.