By J Connolly
Big hacks are back in the news this month with up to 143 million customer details exposed by the hack of credit reporter giant Equifax. As well as taking criticism for not adequately preventing the breach (caused by an unpatched vulnerability in the Apache Struts Web Framework) there has been anger that the company did not report this to the public until six weeks after they discovered the hack.
There have been numerous debates in recent times about how soon enterprises should report data breaches to their customers or even whether they should report them at all. The Equifax hack has put this issue right back on the table but it looks like history will be on the side of the quick disclosers.
It’s not just in the headlines – attacks on enterprises are growing and becoming a regular part of an organisation’s threat landscape. Gemalto’s Breach Level Index reported that there were 1,792 data breaches in 2016, leading to almost 1.4 billion data records being compromised. This was a massive increase of 86% from the year before.
Despite this, companies are either not aware of the risk or not willing to admit they’ve been had. In a survey of 2000 IT professionals, only 44.45% of participants expressed confidence their firm had suffered a data breach. This is way out of line with what we know about cyber-crime incidents, and does not match with info from the public sector.
When Google has hacked in 2010 another 35 companies also lost intellectual property. Yet only one other company reported it had been hacked and provided no details of the effect. In the US “Just 95 of the roughly 9,000 public companies in the US have notified the SEC (Securities and Exchange Commission) of a data breach since January 2010, yet across public and private companies in the same time period there were 2,642 breaches or hacks.”
As well as Equifax, other companies we know have been compromised have been equally slow to report. In September 2016, Yahoo revealed at least 500 million user accounts had been comprised but waited a month before informing their users that something might be wrong.
It is easy to see why so many enterprises are reluctant to disclose when they’ve been hacked. A study by Oxford Economics which looked at 65 sever breaches of listed companies found that disclosure tended to cause share prices to fall by 1.8% on average. There is also a risk of direct financial loss, remedial action and potential liability.
As well as the immediate financial hit, enterprises are also wary of the reputational damage they may suffer. Although cyber-crime is growing worldwide and breaches are becoming more common, enterprises feel disclosure may damage the trust customers place in them to safeguard their data.
There is also possibly a belief that not reporting a hack may mean it will never be disclosed at all. This though is a misplaced view that organisations should avoid.
A Problem Shared…
Though the reputational damage may be large, the late disclosure of recent organisations who discovered large breaches has shown that the reputational damage is far greater if customers believe their data controller has not only allowed their data to be leaked but then sat on information which could have prevented further damage. This view is sometimes unfair, as organisations sometimes will need time to assess the damage of an attack and prevent further intrusions, as Equifax CEO explained to USA Today this week.
That said, as well as being the right business choice to disclose quickly, it is also the right thing to do. If customers are informed quickly that their personal information is in the hands of hackers they can take immediate steps in damage control. This may mean something as simple as changing common passwords used in other sites or frequently in the case of identity theft, changing their bank and card details so their details cannot be sold to scammers online.
It also seems to be more and more likely that organisations who have lost financial information will be found out. Frequently cyber criminals are using the dark web and the anonymous benefits of cryptocurrencies to sell their data to the highest bidder. This has been the case with the Equifax hackers and others such as the LinkedIn hack. With the odds that your data breach will be advertised online anyway, the only sensible route seems to be declare quickly.
Times are Changing
In a sign of the times, companies may find themselves having to report data breaches quickly anyway. The incoming GDPR – which the UK looks to adopt wholesale regardless of Brexit, is explicit on the responsibility of organisations to report data breaches to the relevant supervisory authority. Any breach which is classified as “high risk” means a company must notify customers within 72 hours, giving full details about the scope of the hack.
While the ICO is assuring companies that some leeway will be given to businesses who make reasonable efforts to disclose, the eye-wateringly high fines for enterprises that do not comply – up to 10 million Euros or 2% of global turnover means this will be high on the security agenda.
All the paths are leading towards enterprises becoming responsible and timely disclosers of data breaches. This looks though to be the way forward anyway and enterprises should embrace the changes. In a scary cyber-world, transparency should not be overrated.