by Simon Edwards
Security experts have for years been urging organisations to adopt a data breach posture of “not if but when”, and to develop and test incident response plans accordingly. With sweeping new EU regulations coming into force early next year, those plans have never been more important. For those CISOs looking for a real-world example of what can happen when things go awry, look no further than the cautionary tale of automobile giant the AA.
A cautionary tale
Let’s take a quick look at what happened. According to noted researcher Troy Hunt, the car insurance and driving school giant was first notified back in April that a database backup of customer information had been left exposed to the public-facing internet, potentially putting it within reach of malicious third parties. The first customers found out about it was a password reset email which caused anger and confusion. However, the company then issued the following official statement (since removed) on its site:
“This email was sent by us in error. We would like to reassure everyone that passwords have NOT been changed and personal data remains secure. We’re sorry for any confusion.”
However, as news of the data incident spread, the firm issued the following tweet – also since removed:
“The AA Shop data issue is now fixed, No credit card info was compromised & an independent investigation is underway. We’re sorry.”
That missive was also incorrect, as partial credit card data was indeed exposed in the incident; specifically, the last four digits of customers’ cards, their expiry date and CV2 number. That’s certainly enough data to mount a convincing follow-on phishing/fraud campaign. Still the AA maintained via its official Twitter feed that no card data had been exposed and info to the contrary was “speculation”.
Eventually, on 7 July, the company was forced to come clean over the exposure of the estimated 120,000 accounts, said to have occurred due to an error by a third-party provider. President Edmund King wrote to customers apologising.
Nowhere to hide
Without wanting to speculate on its motives for handling the incident the way it did, it’s clear that the affair has been a PR disaster for the company, and described by Hunt as part of an “alarming trend” of breach cover-ups. There’s no evidence that malicious third parties did access the data when it was accidentally exposed by the company. So, while customers would have been disappointed to hear of the incident, most would have been relatively sanguine if notified promptly and transparently.
Unfortunately, the lack of prompt notification and subsequent lies concerning the security of their data – especially card data – will have undermined trust in an organisation whose brand is built on exactly this value.
If the same incident happens after 25 May 2018, there will be big fines waiting from the European Commission. The GDPR will not only mandate 72-hour breach notifications but also levy fines of up to 4% of global annual turnover for serious infractions.
Without knowing exactly what went on at the AA internally during the past few months, it’s clear that its incident response left much to be desired.
Here are some tips on how to ensure your organisation isn’t left similarly red-faced:
- Draw up a list of key personnel from various departments who need to be involved in the IR team: including PR, HR, legal, IT
- Determine triggers for incident response: such as unauthorised access attempts, exposure of data on the public internet, discovery of malware etc
- Integrate planning with GDPR compliance efforts
- Ensure clear lines of communication both internally and with customers/media
- Swift communication and remediation is essential
- Train staff so each IR team member and wider employees know their role
- Regularly test the plan to ensure it is fit for purpose
The GDPR will leave nowhere to hide for organisations looking to sweep data breach incidents under the carpet. But regulators understand that 100% breach prevention is impossible and will certainly look more favorably on firms that have followed industry best practices.
The good news is that Trend Micro’s popular CLOUDSEC conference is back again this year and packed full of fantastic learning opportunities for IT security leaders. PwC’s Global Head of Data Protection & Cyber Security, Stewart Room, will be on hand to share his insight into taking a risk based approach to GDPR compliance. There’ll also be loads of advice on improving your cybersecurity posture, and how the EU regulation will work in the cloud computing sphere.
Places are limited so book your spot today:
What: CLOUDSEC 2017
When: Tuesday 5 September
Where: Park Plaza Westminster Bridge, London