This week has seen Australians exposed to a pair of significant incidents that may have led to personal data being disclosed. Earlier this week, we learned that the Commonwealth Bank lost backup tapes containing a decade of bank statement data a couple of years ago pertaining to about 12 million customers. And, this morning, we learned that Twitter had an internal process failure leading to the usernames and passwords of 300 million users being stored in plain text. What can learn from these incidents to inform our won incident response.
The Commonwealth Bank incident
We covered the Commonwealth Bank incident earlier this week but here's the TL;DR.
Back in 2016, the Commonwealth Bank discovered that tape drives containing a bunch of personal banking history data from a massive proportion of their customers were missing. The tapes were scheduled to be destroyed but the paperwork was never completed. The bank notified the Office of the Australian Information Commissioner (OAIC) and Australian Prudential Regulation Authority (APRA) as required but never told their customers.
To this day, no one knows if the tapes still exist and are in the possession of an unauthorised party or if they were destroyed and this is purely a paperwork cock up.
Commonwealth Bank didn't come clean with the story until they were outed by Buzzfeed.
The Twitter incident
We covered the Twitter "bug" earlier today. Essentially, an internal process that is meant to encrypt a bunch of data before it is written to system logs didn't do its thing and the unencrypted passwords were written to the logs in plain text.
Twitter says the incident was contained internally and that there's no suggestion that anyone accessed the data. But, just to be safe, they've advised everyone to change their passwords. In fact, when you log into Twitter, you'll be prompted to change your password.
In short, they have disclosed a potential problem quickly, notifying their users what happened and provided them with advice on what to do.
What does good incident response look like?
With new laws coming in around the world regarding the protection of personal identifiable information (PII) all businesses need to think about how they will respond to security incidents. That means having a plan, rehearsing the plan regularly, and updating the plan as you learn from what happens to others and by monitoring what's happening around you.
Good incident response starts with not jumping straight into a defensive mode where the aim is to stop people from knowing what happened.
I think the high-water mark for incident response in Australia comes from the Red Cross Blood Bank. When it was revealed that blood donor records from over half a million people were left on a publicly facing, unsecured server by a third-party contractor, they
- Notified their clients as soon as they knew through multiple channels including email, SMS and the media
- Carried out an investigation and released clear information about what had happened
- Explained what the potential risk to clients was and how it was being mitigated
- What steps had been taken to prevent this happening again
- Took full responsibility for the breach themselves, and didn't try to deflect things to the contractor
All that happened in a very short time from when the breach was disclosed.
How did Comm Bank and Twitter compare?
Let's start with Twitter.
Twitter didn't suffer an external breach - they had an internal systems bug that, as far as they can tell (and I'm assuming they're being 100% honest in their communications about this) has not resulted in the disclosure of any personal or confidential information to an unauthorised party. Although we aren't certain of the precise timelines, they use the world "recently" in their communications.
Twitter CTO Parag Agrawal said the company was not obligated to disclose the incident but did so as they "believe it's the right thing to do".
In contrast, Commonwealth Bank knew about their incident back in May 2016 when they reported it to the OAIC and APRA. And while there was no legal obligation to notify customers there's a question bout whether they were morally or ethically obligated to do so.
The Commonwealth Bank employs about 52,000 people. According to reports, the potential data loss was contained to a group of about 150 senior executives and external investigators from KPMG. So, even with such a tight circle, the infraction still got out.
There are lots of guides out there to help you build an incident response plan. I want to focus on one thing.
Don't try to bullshit your customers
It is almost inevitable that any significant data loss or breach will become public. It happened to Catch of the Day in 2016, Uber earlier this year and it's happened to Commonwealth Bank this week. In all of those cases the customer anger and negative publicity has caused problems for those companies.
And while share prices and customer sentiment might have recovered, the recovery costs time and money that could be better spent on other business imperatives.
If you suffer a data breach get on the front foot. That list of things the Red Cross Blood bank did is a good place to start. If you tell customers what happened, no-one else can come up with their own version of the story that fills in the blanks with assumptions and embellishments.
Gather the data quickly, get it in front of the affected parties promptly and take responsibility.