Quick response will limit damage after breach of web security

How should your company react if someone calls you about a security breach on your Web site? Quickly, is the best advice because...

You are at work, feeling stressed, and there are 1,001 things left to do before lunch. Suddenly the phone rings.

"Hello, I have been looking at your Web site, and do you realise that I can see all your customer's credit card details. I thought I'd better let you know," says a disembodied voice on the other end of the phone.

How you react next is crucial. Do you call the police? Call your lawyers? Or send the caller a bottle of champagne as a thank-you?

Do the wrong thing and you could easily have a crisis on your hands that could cause irreparable damage to your company's reputation and drive your customers away.

One well-known credit card company had to face just such a dilemma earlier this month, when university student Martin Nikel telephoned to report a serious security vulnerability.

Nikel's story presents a salutary lesson in the pitfalls that await both people that are brave enough to report security problems and the companies that are on the receiving end of their calls.

Nikel, a second year information systems student at Brunel University, rang the company after discovering that a well-documented software bug had left confidential customer details exposed to potential hackers.

He had discovered the problem, which affects Web servers running Microsoft Index Server software, during a work placement at a hospital. He realised that it could have left his employer's confidential information exposed to hackers.

Nikel checked the Web sites he regularly used and discovered that 15 of them, including the card company's site also had the same vulnerability.

Reporting the fault to the credit card company should have been simple, but Nikel said he ran into a barrage of obstacles.

"The only contact information on the Web site was their credit card hotline. When I called that, they didn't have a clue. They didn't even know they had a UK Web site."

Nikel was passed from person to person, only to be told that the problem Web site must be a forgery.

In desperation, Nikel decided to e-mail some of the credit card company's customers. He gave his contact details, described the problem and asked them to pass a message on to the company.

"Personally, I thought I had exhausted all the openings," he said. "The information was fairly sensitive. If I had not contacted those companies, it could have been two, three or even four weeks before anything was done."

Nikel was stunned by the company's response. "They said their lawyers would be in touch. That's a bad reaction when you are talking to the person whose job you have probably just saved," he said.

A week of sleepless nights later, and the company has told Nikel it will not take further action providing he signs a letter acknowledging that he made unauthorised access to its systems.

The credit card company's behaviour contrasted sharply with 14 other business Web sites contacted by Nikel, who thanked him for the information.

Two of the sites offered him a job and a third offered to send him gift vouchers.

The temptation for companies to try and cover up the damage by issuing legal threats against informants must be immense. But, as the publicity surrounding the recent security problems at Powergen shows, this strategy can easily backfire.

Whatever the rights and wrongs of the case, the company's decision to threaten legal action against customer and systems analyst John Chamberlain, only made a bad situation worse by encouraging a torrent of highly critical press reports.

"Clearly there is a tendency for companies to try to sweep these problems under the carpet because they want to stop bad publicity. They hope the person will go away, but it is a false economy," said IT security lawyer Steven Philippsohn.

"If the person doesn't go away, an organisation like Powergen can get far worse publicity."

The clear danger is that if companies call out the police and reach for injunctions, every time they receive a report about a problem, customers and concerned citizens are going to think twice before reporting any problems they find. This could leave Web owners in a far more precarious position than a policy that encouraged open communication.

At the same time, companies need to be careful to protect their own position.

Philip Virgo, strategic adviser to the Institute for the Management of Information Systems, said hackers might very well pose as a concerned customer, in order to glean information about a system's vulnerabilities.

One of the difficulties both companies and genuine whistleblowers face is the ambiguity of the Computer Misuse Act 1990, an anti-hacking law that was framed long before the creation of the World-Wide Web and the commercial exploitation of the Internet.

Under the Act, it is a criminal offence for anyone to deliberately access information in a computer system without authorisation.

As it stands, if you stumble across confidential customer records on a Web site, no matter how glaring the Web site owners' security lapses, you are technically guilty of a criminal offence that carries a maximum penalty of six months in jail.

By contrast, the only penalty the Web site owner can expect for poor security design is a slap on the knuckles from the Office of the Data Protection Commissioner.

The problem with current legislation is that there is no clear definition of hacking, said Phil Hunter, assistant data protection commissioner.

"If I go to a Web site and I am going to leave my personal information there, how much checking is it reasonable for me to do?" he asked. "At what stage does it become hacking?"

Until the law is clarified through case law or an act of Parliament, this question will remain open.

In the meantime, one solution could be for an organisation such as the Data Protection Commissioner's Office or the Computing Services & Software Association, to act as an honest broker between concerned customers and Web site owners.

Virgo believes that such a body would have benefits for both sides. "There is clearly a need for a reporting system for security vulnerabilities. There needs to be a well-publicised route for them to report breaches," he said.

Whatever the merits of this proposal, one lesson is clear: companies should make sure they have procedures they can follow when members of the public call raising problems.

Guy Corbet, director of public relations company Fishburn Hedges, advises firms to be honest about their mistakes.

"If things happen, it is untenable to deny it, because the truth will out," he said. "You will get one chance to explain it [when the press calls], so make sure you explain it clearly and be prepared to take all the blows."

Companies always have to strike a balance between their legal advice and their public relations advice.

"You have to assess on a case-by-case basis, but in balance, legal recourse should be the last resort not the first," Corbet added.

Perhaps the best advice for both Web companies and concerned customers is the Computer Weekly test: If your actions became public and are printed on the front page of Computer Weekly would you mind. If the answer is "yes", think again.

When the truth hurts

  • Powergen unleashed a storm of negative publicity after it threatened to take legal action against its customer John Chamberlain, a systems analyst. Chamberlain discovered a vulnerability in Powergen's system that left its customers' confidential credit card details exposed. Chamberlain said he is still reeling from Powergen's response. "I was put under a lot of stress. My work is still suffering and I fear that my interest and concentration in IT has suffered to the extent that I may leave the business altogether," he said.

  • In May of this year, Computer Weekly carried a report about a security glitch which left job seekers' confidential CVs exposed on recruitment firm Reed Executive's Web site. Reed responded by calling in Scotland Yard to investigate and referred Computer Weekly to the Press Complaints Commission. Scotland Yard dropped the investigation when Computer Weekly declined to disclose the source of its information. The Press Complaints Commission later dismissed Reed's complaint and praised Computer Weekly's actions.

10 things to do if a customer calls to highlight a security issue on your site

  • Prepare: constantly test the site whenever it is updated - for all the technical wizardry, it must also pass the consumer destruction test

  • Anticipate: have in place clear and straightforward procedures to deal with the unexpected, and make sure all public-facing employees know about them

  • Listen: if a problem is reported, find out as much as you can on the initial contact. Promise to make additional internal inquiries and then get back to them

  • Speed: delay can be fatal. Don't prevaricate. Accept you will need to work on imperfect information and will need to act in Internet time. If you don't, you could be overtaken

  • Assess: before responding, but straight away, make intensive inquiries internally to find out what has happened, how, whether it can be replicated and who it will affect

  • Options: work closely with your legal and communications teams to assess your options. Consider the value of your reputation when constructing a legally-sound response

  • Respond: if one person has concerns about security, others will too - very quickly. Be prepared for your response to be widely broadcast and plan accordingly

  • Understand: security concerns will hit your customershard, but they are more likely to listen if you are open with them and can reassure them that their interests are protected

  • Decide: agree the immediate and ongoing measures to prevent repetition. This may mean shut down. If the security breach was imagined, identify how that impression was given, and how that can be put into context

  • Communicate: you will get one chance to explain - so do it clearly. You will have to roll with the punches - but explain clearly how it happened, who (if anyone) could be affected and your solutions.

Read more on Hackers and cybercrime prevention