Save content
Have you found this content useful? Use the button above to save it to your profile.
data breach

Cyber security: What to do in the event of a data breach

30th Jan 2018
Save content
Have you found this content useful? Use the button above to save it to your profile.

In the first article of his GDPR data protection series, Brandfire Cybersecurity consultancy founder Stewart Twynham explains the steps to follow in the event of a data breach.

In April 2016, an NHS Trust was fined £185,000 for publishing a pivot table with its data source (the personnel records of 6,574 employees) still attached.

In August 2016, a nursing home was fined £15,000 after a laptop containing the unencrypted records of 29 residents and 46 staff was stolen.

In June 2017, an SME was fined £60,000 after 26,331 credit card numbers (including the security code) were stolen from its website.

In August 2017, Talk Talk was fined £100,000 after details of 21,000 UK customers were stolen by staff at its IT supplier in India, Wipro.

These are four very different breaches and an indication of the diversity of issues that Data Protection Officers (DPOs) face. I will be examining each of these examples and others in more detail in the coming months.

Data breaches are fast becoming a fact of life for modern businesses simply because we process more and more data, often on the move. Whilst the risk of a “category one cyber attack” might be grabbing the headlines at the moment, for many businesses the most proximate threats still come from the temp on reception sticking an important document into the wrong envelope or a member of staff losing an unencrypted device. Human factors accounted for almost half of the notifications to the Information Commissioner’s Office (ICO) last quarter.

Most breaches will become notifiable

One of the big changes under the GDPR is mandatory breach notification.

Broadly speaking, businesses will have to inform the ICO within 72 hours of any personal data breach which affects people’s “rights and freedoms”.  Businesses will also have to inform data subjects “without undue delay” if there is a “high risk” to those rights and freedoms.

Currently, health is the only sector required to notify the ICO, which is why it generates around a third of all notifications.

How not to handle a data breach: Equifax

How a data breach is handled will have a huge impact far beyond the ICO.  A loss of trust in the brand, a fall in share price and departures at the top are all possible.

In 2017, the credit reference agency Equifax failed to patch a critical vulnerability in its web servers, so two months later someone broke in. It took a further two months for Equifax to spot the intruder, by which time it had filtrated the records of 143 million people.

Equifax then decided to keep quiet for six weeks whilst deciding what to do. When Equifax finally went public it offered free identity theft monitoring with a sting in the tail: the customer must waive all rights to sue Equifax. Despite earlier denials, six weeks later the agency admitted that other countries were affected, including 634,000 people in the UK.

The business lost a third of its value and saw the early departure of the Chief Information Officer (CIO), the Chief Information Security Officer (CISO), with the Chairman and Chief Executive, Richard F. Smith, “retiring” just days later.

Putting aside the glaring security blunders, Equifax didn’t have a plan, which meant it took far too long to respond to something that needed their most urgent attention. Even then, the business managed to concoct a half-baked solution (the lawsuit waiver) which told everyone that Equifax wasn’t really interested in its customers at all. Then, they let the bad news drip out until a point was reached that nobody believed them.

Don’t panic!

A frantic call from a customer, an urgent e-mail from a supplier or comments made on social media may be your first sign of a problem.

It might sound obvious, but unless you have indications to the contrary, treat all reports as a potential security incident and avoid using the term “breach”. Once you use the term, you’ve essentially made it notifiable.

Once you’ve established it is a breach then in the words of Corporal Jones… “Don’t panic!”

Forget the headlines about eye-watering fines; most notifications never result in a penalty and even under the GDPR, penalties will be proportionate and reserved for situations where a catalogue of basic failings has lead to the loss.

The next stage can be summarised in three steps - investigate, protect and communicate.

  1. Investigate

It is essential you manage by fact but you will also need to move quickly. Your focus should be on the questions that the ICO will be asking you about:

  • The nature of the information disclosed
  • Who is affected
  • The likely consequences to the individuals
  1. Protect (the data subjects)

Take steps to address the breach or minimise the impact of the breach on the data subjects.

This does not mean coming up with a clever wheeze to prevent future lawsuits as Equifax attempted. Sensible, timely mitigation will be a strong defence in any future ICO investigation.

Elements might include steps to lock down your systems and accounts to protect customers from fraud to notifying banks or credit card companies.

  1. Communicate

One of the key planks of GDPR is transparency. You will need to be open and honest when communicating with the ICO, the press, social media and data subjects. To use a popular term in PR: tell it all, tell it fast and tell the truth.

Planning is everything

As you will have realised, completing these three steps is almost impossible unless you already have a crisis management plan in place. Here are just some of the issues you might face if you try to tackle this without a plan:

  • Your current IT company doesn’t have the forensic skills to determine what happened or even ensure that any intruder is no longer at large
  • Your systems are in the cloud. Hosting, development and management are three different companies in different time zones and they aren’t talking to one-another
  • You can’t find the right contacts to speak to at the bank
  • Your marketing agency doesn’t understand IT, data protection or crisis PR
  • None of your management team have ever had any media training, so they cannot field press enquiries
  • You haven’t got sufficient time to prepare briefings for the media or information packs for customers

Running through different scenarios will help your business to get prepared. The good news is businesses that understand and prepare for the worst tend to make better and more informed security decisions - decisions which can help prevent breaches happening in the first place.

Next time: Getting those basics right

ICO penalties are issued when businesses fail to get the basics right, so my next article looks at some of the baseline controls every business must have in place.


Replies (5)

Please login or register to join the discussion.

By holzier
01st Feb 2018 16:53

According to my research (see facts here) we tend to think of these things in terms of the potential impact to individuals. But think about this; what if this was a nation-state. And what if they, in a short period of time, threw 150 million wrenches into the credit rating system. It could have significant economic impact. We need to rethink how all of this is done, for national security reasons. Unfortunately, it does not look like we have even the "B" team up in DC right now.

Thanks (0)
By North East Accountant
02nd Feb 2018 09:43

Can't see much self reporting at the small end of business (ourselves excluded, of course).

Presumably every time an email goes to the wrong person one should self report.

Thanks (0)
Replying to North East Accountant:
By Stewart Twynham
02nd Feb 2018 11:03

If it's an innocuous e-mail, then it would probably not require notification - although I would make an effort to discuss the matter with the unintended recipient on the phone, and if necessary you and they may wish to log it.

If the e-mail contained personal data and thus was a risk to rights and freedoms of a natural person - then you would have to notify the ICO, but you wouldn't have to notify the individual if it was not a high risk to their rights and freedoms. You would also be required to document everything (Article 33 clause 5).

If, on the other hand, you discover that the e-mail was sent as part of a batch e-mail merge gone wrong and 1,000 people have been sent the incorrect e-mail, then that would in itself represent a high risk which would require notification to the individuals affected as well.

If it was an e-mail to invite people to a meeting of your local alcoholics anonymous / mental health support / religious meeting / political rally / trade union group / etc and you've added everyone to the To: or Cc: list and not the Bcc: list - then yes, it's notifiable to both as this would be a high risk, falling under Article 9 - special categories of personal data. Notification may not be necessary if no sensitive data is revealed or implied and if only a minor number of email addresses are revealed.

Thanks (0)
06th Apr 2018 10:40

after facebook now exposed truth off
After a broadened activity of more than 10 months, these programmers have gotten to the private data of the apparent ISIS sympathizers that incorporates the photograph, name, email ID,MAC address etc. Kislay Chaudhary, cyber security expert and chairman of Indian Cyber Army said Despite having concrete information about the ISIS sympathizers or other terror supporters, the government or the intelligence agencies do not pay a heed to it. Instead of conducting a primary investigation, the motive and patriotism of the hackers are questioned, Full news :-
Kislay Chaudhary Ft. in India today on Exposed Nasty Truth About ISIS Supporters

Thanks (0)
15th Jun 2018 08:50

Information security is the set of processes that maintain the confidentiality, integrity and availability of business data in its various forms. Indian Cyber Army has been dedicated in fighting cyber crime, striving to maintain law and order in cyberspace so as to ensure that everyone remains digitally safe.

Thanks (0)