What Can We Learn From Comm Bank And Twitter After This Week's Disclosures

Image: iStock

This week has seen Australians exposed to a pair of significant incidents that may have led to personal data being disclosed. Earlier this week, we learned that the Commonwealth Bank lost backup tapes containing a decade of bank statement data a couple of years ago pertaining to about 12 million customers. And, this morning, we learned that Twitter had an internal process failure leading to the usernames and passwords of 300 million users being stored in plain text. What can learn from these incidents to inform our won incident response.

The Commonwealth Bank incident

We covered the Commonwealth Bank incident earlier this week but here's the TL;DR.

Back in 2016, the Commonwealth Bank discovered that tape drives containing a bunch of personal banking history data from a massive proportion of their customers were missing. The tapes were scheduled to be destroyed but the paperwork was never completed. The bank notified the Office of the Australian Information Commissioner (OAIC) and Australian Prudential Regulation Authority (APRA) as required but never told their customers.

To this day, no one knows if the tapes still exist and are in the possession of an unauthorised party or if they were destroyed and this is purely a paperwork cock up.

Commonwealth Bank didn't come clean with the story until they were outed by Buzzfeed.

The Twitter incident

We covered the Twitter "bug" earlier today. Essentially, an internal process that is meant to encrypt a bunch of data before it is written to system logs didn't do its thing and the unencrypted passwords were written to the logs in plain text.

Twitter says the incident was contained internally and that there's no suggestion that anyone accessed the data. But, just to be safe, they've advised everyone to change their passwords. In fact, when you log into Twitter, you'll be prompted to change your password.

In short, they have disclosed a potential problem quickly, notifying their users what happened and provided them with advice on what to do.

What does good incident response look like?

With new laws coming in around the world regarding the protection of personal identifiable information (PII) all businesses need to think about how they will respond to security incidents. That means having a plan, rehearsing the plan regularly, and updating the plan as you learn from what happens to others and by monitoring what's happening around you.

Good incident response starts with not jumping straight into a defensive mode where the aim is to stop people from knowing what happened.

I think the high-water mark for incident response in Australia comes from the Red Cross Blood Bank. When it was revealed that blood donor records from over half a million people were left on a publicly facing, unsecured server by a third-party contractor, they

  1. Notified their clients as soon as they knew through multiple channels including email, SMS and the media
  2. Carried out an investigation and released clear information about what had happened
  3. Explained what the potential risk to clients was and how it was being mitigated
  4. What steps had been taken to prevent this happening again
  5. Took full responsibility for the breach themselves, and didn't try to deflect things to the contractor

All that happened in a very short time from when the breach was disclosed.

How did Comm Bank and Twitter compare?

Let's start with Twitter.

Twitter didn't suffer an external breach - they had an internal systems bug that, as far as they can tell (and I'm assuming they're being 100% honest in their communications about this) has not resulted in the disclosure of any personal or confidential information to an unauthorised party. Although we aren't certain of the precise timelines, they use the world "recently" in their communications.

Twitter CTO Parag Agrawal said the company was not obligated to disclose the incident but did so as they "believe it's the right thing to do".

In contrast, Commonwealth Bank knew about their incident back in May 2016 when they reported it to the OAIC and APRA. And while there was no legal obligation to notify customers there's a question bout whether they were morally or ethically obligated to do so.

The Commonwealth Bank employs about 52,000 people. According to reports, the potential data loss was contained to a group of about 150 senior executives and external investigators from KPMG. So, even with such a tight circle, the infraction still got out.

The lesson

There are lots of guides out there to help you build an incident response plan. I want to focus on one thing.

Don't try to bullshit your customers

It is almost inevitable that any significant data loss or breach will become public. It happened to Catch of the Day in 2016, Uber earlier this year and it's happened to Commonwealth Bank this week. In all of those cases the customer anger and negative publicity has caused problems for those companies.

And while share prices and customer sentiment might have recovered, the recovery costs time and money that could be better spent on other business imperatives.

If you suffer a data breach get on the front foot. That list of things the Red Cross Blood bank did is a good place to start. If you tell customers what happened, no-one else can come up with their own version of the story that fills in the blanks with assumptions and embellishments.

Gather the data quickly, get it in front of the affected parties promptly and take responsibility.


Comments

    I enjoy reading Lifehacker, I really do but two 'articles' today make me wonder whether the 'soul' has gone from the site.

    Firstly this morning I'm presented with what I can only call an appalling sales pitch for an overseas money transfer solution that wasn't clearly marked as paid for advertising. (The gist was "Your bank will rip you off, use these guys instead" when the reality is the service being promoted is horribly expensive compared to any number of competing services - in a spot check vs. the service I personally use the difference was close to $150 on a $2,500 transfer.)

    Now I'm presented with this article that tries to compare the lack of a "destruction certificate" for a backup tape containing no usernames or passwords to login to a banking website with the actual exposure of passwords to a hugely popular and influential social media site.

    As someone that works in IT and understands information security I find this article unhelpful, these are two very different situations with two very different sets of risks and this article seems to simply take another pot shot at the banks rather than trying to educate anyone as to what either of these things mean to them personally.

    If you had explained the risks to customers of the "possible" non-destruction of a backup tape (which under most circumstances for a bank is likely to have been encrypted) with the actual exposure of unencrypted passwords (which people frequently reuse) and then compared the reaction from the companies concerned this article would be more credible.

    As things stand, the Twitter situation is probably a much higher risk situation to a much higher number of people than the Commonwealth Bank situation. Yet this article makes it seem that somehow the Commonwealth Bank has left their customers significantly more exposed than Twitter.

    Honestly, you can do better.

      Thanks for the comment. The pint of this article was about the severity of the two incidents but to look at what can be learned from them. The headline says it's about what we can learn and other than a brief summary of the two incidents they rest is about incident response.

      I don't address the potential risks to users or customers of the two incidents in any depth

Join the discussion!

Trending Stories Right Now