Thankfully, we now live in a world where it is accepted that data breaches happen and organisations are more comfortable disclosing that they have been victim to an attack. However, with this welcome move away from victim blaming, organisations are now being judged more on how well they manage a breach.
Examples of this include the openness Norsk Hydro demonstrated when it had to shut its business down because of a ransomware attack, and how Maersk shared its experiences with NotPetya to enable other organisations learn how to secure their own environments better.
Recent headlines highlight the cyber security woes Travelex has suffered, and continues to suffer. But unlike the examples set by Norsk and Maersk, Travelex is rapidly becoming a poster child for how not to respond to a security breach.
Travelex discovered on New Year’s Eve that it had fallen victim to a cyber attack in the form of a computer virus. As a precautionary move, it took its websites offline, leaving a “site under maintenance” notice, with no mention of the real cause of the outage. It wasn’t until 7 January, more than a week after discovering the breach, that Travelex updated its website with a notice stating that it was victim to “ransomware known as Sodinokibi, also commonly referred to as REvil”.
The fact that, for several days, there was no coherent communication from Travelex as to the exact nature of the attack left customers, media, stakeholders and other interested parties in the dark. In the absence of statements and updates by Travelex, it was left to security experts and journalists to try to fill the gap, leading to rumour, speculation and, ultimately, upset customers.
It also appears that Travelex did not inform the Information Commissioner’s Office (ICO) about the breach. Many may think a ransomware attack is not a data breach because the data is still on the system. But if the personal data entrusted to your care is encrypted and you cannot access it or decrypt it, you could be deemed to have lost control of the data and therefore it could constitute a breach.
The key lesson we can take from the Travelex breach is that an effective response to a breach is a critical business function and is no longer the sole province of the IT department. Rather, it should be a core business competency supported by senior management with input from other business areas, such as HR, legal and compliance, public relations, customer support and the data protection team. As demonstrated by the Travelex breach, an incident can disrupt your business, with critical systems taken offline.
To minimise the levels of disruption a cyber attack can inflict on your business, your incident response plan should be integrated closely with your business continuity plans. Finally, practice makes perfect, so regularly test how effective your processes are. Better to discover weaknesses in how you can respond to an incident during an exercise rather than in the midst of a real crisis.
To help build your capabilities in this area, the ICO has a General Data Protection Regulation (GDPR)-focused checklist for handling data breaches. The UK government also offers very good advice about handling media attention and crisis communications.
The old adage from Benjamin Franklin, “By failing to prepare, you are preparing to fail”, is one we should avoid in cyber security and the Travelex breach provides us with a great opportunity to ensure our own organisations are well prepared for the next breach.