The Human Side of a Data Breach
We’ve all seen the headlines, right? ‘Company ABC was impacted by a security incident. They’ve notified the appropriate authorities and are working with their 3rd party contractors to respond. Impacted individuals will be notified.’
But what does this look like for the every day person impacted by these incidents? I wanted to take a moment to talk about this element of security incidents and data breaches with two examples. And ultimately, discuss some lessons all organizations can take away from these incidents.
Example 1 – MoveIT vulnerability and data breach.
Back in May of this year, there was a critical vulnerability in the file transfer tool called MoveIt. This vulnerability was quickly leveraged by threat actors to gain unauthorized access to sensitive data, including financial institutions and state governments. The exposure was so bad that security researchers began notifying institutions directly to patch their systems (shout out to my friends Matt Lee and Cody Kretsinger for their work.) Unfortunately for some, this was too late.
Fast forward to August. One of these organizations disclosed to victims that there was an incident, and their personal information was impacted. It directed folks to go to a website for more information. The victim here reached out to our security team to validate the request. She had never heard of the organization sending the letter, and based on the security awareness training that she had received wanted some assurances that this was not a scam. Unfortunately, the letter was legitimate, and her details were impacted as part of this incident.
Example 2 – MGM Resorts Incident
(Editor’s Note- Since the authoring of this blog, MGM has released an official statement regarding their data breach here.)
As we saw VERY recently, MGM Resorts suffered a ransomware attack. This attack disrupted the operations of the organization for 10 days. The threat actors in this case appear to be the ALPHAV/ BlackCat ransomware group who are known to exfiltrate data and have made claims that they were able to gain access to sensitive data.
However, as of writing, no statement from the organization has been made to impacted folks. There are likely several reasons for this. They may still be assessing what data was exposed, who’s impacted, how they’re going to notify folks, and more. In a situation like this multiple teams need to be involved, such as public relations, legal counsel, insurance, and more.
But for the victim this leaves many unanswered questions, such as ‘was I impacted, what was exposed, what do I need to do?’ While it’s easy to guess the answers to these questions as a security professional, many of the folks impacted by these incidents simply don’t live in this world.
So, what can we do? Have a robust incident response plan that includes communications to impacted parties. This must be done ahead of time to ensure clear messaging with adequate time to review with PR and legal teams. This should also include the methods the communications will be sent from.
Set expectations around when folks can expect updates. Depending on the nature of the incident, systems impacted, and more often there’s a need for timely information. This allows the security teams of impacted parties to take appropriate actions as well to prevent further incidents.
When communicating to folks impacted, remember the audience. Clear messaging around what happened and what actions are necessary should be easy to understand.
And lastly, this brings me to the ‘why’ of this blog. The victims in these incidents are not always security professionals or may not have access to one. They’re parents, co-workers, neighbors, and friends. They’re folks that may not have an Adam in their life to ask about an incident or what to do. As such, it’s the responsibility of security professionals to keep this in mind as we work with organizations to protect our assets and to respond to incidents when/if they occur.