DATA BREACH BREAK DOWN
LESSONS LEARNED FROM
TARGET
2014 NSGA Management Conference
John Webb Jr., CIC – Emery & Webb, Inc.
Not just a big business problem…
•
Cyber Liability comes from various
sources
•
Sources that almost every business has
•
Employees
•
Websites
Sources of Liability
•
Employees making data handling errors
such as sending emails to wrong person
or emails with defamatory statements
•
Websites and Social Media platforms
where ideas and comments can be
posted
•
Websites using unauthorized images,
More Sources of Liability
•
Your business computer system can be
used to transmit a virus or attack to other
computer systems
•
Your computer system can be made
inoperable due to bad programming or
malicious activity. This equals costly
downtime and data restoration costs
Yes, even more sources of Liability
•
The data in your computer system is
valuable, very valuable
•
Credit and debit card information flowing
between your Point of Sale system and the
processor
•
Customer information such as name,
address, bank account numbers, etc…
•
And it can be threatened as easy as a lost
How valuable is my data?
•
Your data is valuable enough that laws
have been written to protect it
•
Data breach notification laws have real
costs associated with them even if there
is no harm proven or damage to the other
party
•
The simple fact that a data breach
happened will cause real costs to your
business
What kind of costs?
•
Notification Expense
•
Credit Monitoring or Identity Repair
•
Forensic Investigations
•
Public Relations Assistance
•
Data Restoration
•
Business Interruption
Examples of Real Cost
• Notification: $1 - $2 per person
• Credit monitoring subscriptions: $15 - $25 per person
• Consulting for forensic research & recovery: $250 - $350
per hour
• Credit card reissuance fee: $20 - $30 per card
• Legal fees: $350 - $600 per hour (specialist required)
• Information hotlines: $5+ per call
Manage your data risk, don’t ignore it!
Reduce the cost to your business with:
Risk Management
“Ultimately, security is about people – not technology”
Foundations of Information Privacy and Data Protection. P. Swire & K. Ahmed, 2012
Insurance
“It’s not a matter of if, but when”
Said, thought or written by nearly every data security professional working today
First Party Coverages & Controls
Breach Costs
1. Notification and Credit
Monitoring
Controls
• Know your data!
• Was it really a beach?
• Is credit monitoring necessary?
First Party Coverages & Controls
Breach Costs
1. Notification and Credit
Monitoring
2. Crisis Management &
PR
Controls
• Get your team ready to play
First Party Coverages & Controls
Breach Costs
1. Notification and Credit
Monitoring
2. Crisis Management &
PR
3. Cyber Extortion
Controls
• Regular back-ups and testing
First Party Coverages & Controls
Breach Costs
1. Notification and Credit
Monitoring
2. Crisis Management &
PR
3. Cyber Extortion
4. Business Interruption,
Extra Expense & Data Asset Restoration
Controls
• Prepare a business continuity plan
First Party Coverages & Controls
Breach Costs
1. Notification and Credit
Monitoring
2. Crisis Management &
PR
3. Cyber Extortion
4. Business Interruption,
Extra Expense & Data Asset Restoration 5. Regulatory Fines / Penalties Controls • Be forthcoming • Be proactive
Third Party Liability & Controls
Responsibility 1. Security – failure to prevent transmission of a virus Controls• Keep systems up to date and monitor as much as possible
Third Party Liability & Controls
Responsibility 1. Security – failure to prevent transmission of a virus 2. Privacy – Failure to protect personal information Controls • Transparent dataThird Party Liability & Controls
Responsibility 1. Security – failure to prevent transmission of a virus 2. Privacy – Failure to protect personal information 3. Electronic Content – Libel, defamation, infringement Controls• Review process for all content and certs from developers
Third Party Liability & Controls
Responsibility 1. Security – failure to prevent transmission of a virus 2. Privacy – Failure to protect personal information 3. Electronic Content – Libel, defamation, infringement 4. Regulatory Actions Controls • Communication,communication, and more communication
Target Breach
– Why Security is Hard
3rd party access – HVAC vendor phished, giving
hackers a foothold in Target’s system
Network separation – Like old fortresses, the perimeter is protected much more than the rooms inside the gates
IDS malware warnings missed – Hundreds of alerts are generated every day, often across multiple programs requiring manual verification
IDS data exfiltration warnings – lots of manual work to find and unless correlated to the
Target Breach
– Why Response is Hard
12/12/2013 Target is notified by DoJ they have been
breached
• Statistics vary, but research shows most breaches are discovered by 3rd parties
12/19/2013 Target publicly
discloses breach
• December 18, 2013 Target breach is revealed in a news story published by
krebsonsecurity.com.
12/20/2013 Target offers 10% off in-store
sales for all U.S. customers
• Attack was planned to coincide with busy holiday shopping. Target takes a hit with sales down 3%-4%.
Mid-January 2014 Credit monitoring for ALL • In an effort to repair
customer confidence, credit monitoring is offered to, well, everyone in the US
Target Breach
“…destroying the company’s brand and alienating customers.”
Yahoo Finance “Target’s lost opportunity to say it’s sorry” 3/26/2014
“…future lives could well be rocked by identity theft for no reason other than they chose to patronize your business.”
ABC News “The Data Breach Factor So Many Companies Forget: Emotion” 3/29/2014
“Probably 5% to 10% of customers will never shop there again.”
Target Breach
“Shopping isn’t objective.
It’s emotional.”
What to do?
Don’t ignore it!
• Data protection is worth your time and attention
Expensive software won’t fix the problem
• To be effective, solutions need to realistically fit into your operations
Audit systems & processes
• Regular scanning for vulnerabilities can find issues early
Educate employees
• Training and awareness can go a long way in reducing risk
Prepare for the worst
