In April 2018, a Personally Identifiable Information (PII) breach associated with Panera Bread Company’s customer loyalty and delivery programs was uncovered. Millions of records were publicly available for at least eight months, including customer emails, addresses, and payment card information.
With mega-breaches impacting corporations like Equifax (September 2017, 143 million records) and Yahoo (August 2013, 3 billion records) becoming more common, it is tempting to assume that only large organizations are susceptible or data from a few years ago is unimportant. However, all data is valuable, once it is uploaded online it remains there indefinitely, and there is ample opportunity to learn from their missteps to develop or improve your own incident response procedures.
A recent Ponemon/IBM report identified that the average time to detect a breach is 191 days with an additional 66 days needed to contain it. In Panera’s case, one of the biggest factors causing a delay was a lack of established trust between the security researcher and the organization. This lack of trust is evidenced by the Security Director of Panera believing that the researcher was attempting to scam the company – a common knee-jerk reaction when breaches or vulnerabilities are disclosed. While we do not know what internal policies may have been present or the lasting impact this breach may have on the company and its clientele, the handling of this situation highlights the importance of corporate governance in Information Security.
Formally adopted and regularly updated policies establish the framework wherein administrative safeguards are implemented and provide guidance for technical controls. Breach handling is typically addressed by an Incident Response (IR) plan, often outlined in an Information Security Policy, which also includes provisions for assessing notifications originating from a third party. Organizations of all sizes and regulatory restrictions have confidential data (e.g., client lists, billing information, the "secret sauce" that gives them a competitive edge) that requires protection and could benefit from an IR plan. The impact of this data falling into the wrong hands varies but is always negative and can have a lasting impact on an organization’s reputation.
It is crucial that processes are in place for responsible breach disclosure, both to your organization and to your clients. Proactive processes help maintain the trust relationship you have with your clients, employees, and the public. The specifics of any process or plan are dependent on your business needs; however, here are some recommended steps:
- Establish communications
- Validate credibility
- Evaluate risk
- Plan to act
- Inform the impacted
- Mitigate the issue
The easiest way to establish communication is to create a mailbox that is regularly monitored by one or more employees who have been designated as members of your IR team. For example, "firstname.lastname@example.org" is commonly accepted as the standard for responsible disclosure by security researchers and should be referenced on your website. However, your IR team should verify and validate every notification, and be wary of demands for compensation. . Responsible disclosure requires this information to be shared freely. Once validated, conduct a risk assessment to determine the impact this issue may have and create a plan to mitigate the issue. If the issue impacts your clients, it is important they are informed of what steps are being taken to address the issue and to prevent this issue from reoccurring prior to or during actual mitigation.
It would be unthinkable to wait until a disaster to establish a disaster recovery plan; after all, failure to plan is planning to fail. So, it is crucial to establish plans and procedures before a disaster strikes. There is no "one size fits all" answer to security; however, solutions like advanced endpoint anti-virus, Unified Threat Management (UTM) appliances, and Security Information and Event Management (SIEM) appliances can provide greater insight into activity on your network and provide a higher level of protection than traditional anti-virus and firewalls. Regardless of the solutions that are in place, being proactive and having strong governance will help your organization be successful.