Dealing with the aftermath of a data breach
At Barclaycard’s Data Breach Masterclass, businesses shared case studies on the process of investigating and recovering from a data breach, and how to prepare for such an event.
What happens in the aftermath of a data breach? It’s a question that all businesses should have considered even as they make efforts to secure their systems and databases against the threat of hackers. The fact is that no business is completely protected from suffering a data breach.
Each of the speakers at Barclaycard’s Masterclass in February shared the lessons learned from what is clearly a very difficult process for a business to go through, and one that can take years to recover from.
The aftermath of a data breach
If a business suffers a data breach, it is obligated to pay a third-party company to do a PCI forensic investigation (known as a PFI). This investigation will aim to uncover what caused the breach and what data was potentially exposed to the hackers.
At the Data Breach Masterclass, a PCI investigator gave an overview of the nine steps his company typically goes through during a PFI. The process begins with initial information and data gathering, followed by a breach vulnerability assessment, then forensic analysis and reporting, before a final report is published. The card schemes affected by the breach will then use this report to set out the remedial actions and financial penalties that will be imposed on the business that suffered the breach.
It's not possible to put an exact timeframe on how long this process lasts, but the nature of forensic investigations means that it inevitably takes place over a matter of weeks and months rather than a few days.
Furthermore, it’s worth noting that there are only 18 businesses globally that are licensed to carry out a PCI investigation. For this reason, it can be a good idea for businesses to pre-approve a PCI investigator as they make plans for how to respond to a data breach. This means that in the event a business does suffer a breach, it can immediately pick up the phone to a PCI investigator, rather than having to spend valuable time doing due diligence.
Lessons learned from data breaches
Two of the speakers at the Masterclass shared case studies from well-known UK retailers that had recently suffered major data breaches. It was a fascinating insight into the lengths that criminals go to obtain customer data – in one instance, the hackers spent several years infiltrating the retailer’s systems before they attempted to steal any data.
The case studies also served to reiterate the massive amount of resources that businesses have to expend when recovering from a data breach, including financial costs, such as fines from regulators, and also in time spent bringing systems back online and up to PCI standards for data protection.
Here is an overview of some of the lessons learned from the process of recovering from a data breach:
1. Cyber Hygiene
Digital technology is evolving at a rapid pace, which inevitably brings added complications when keeping data secure.
For example, legacy systems can be a potential weak spot for hackers to exploit, as older tech infrastructure might lack up-to-date data protection or it might not be supported by more recent technology updates.
Legacy systems can be a potential weak spot for hackers to exploit, as older tech infrastructure might lack up-to-date data protection.
Businesses need to ensure they are supporting their current and legacy technology infrastructures, while also preparing for the future. This is a complicated juggling act, which is made more difficult for large corporates that may have had to combine systems and databases following mergers or acquisitions.
The speakers also recommended that businesses limit privileged access to their systems to help guard against any malicious activity from their own employees.
2. Third-party audits
Linked to your business’s own cyber hygiene is the security of any third-party tech providers. The speakers noted several high profile cases where hackers had accessed a business’s systems via an insecure service provided by a third-party.
The speakers suggested that businesses should consider auditing all their tech suppliers to check whether they are genuinely secure and compliant – in some cases it's not enough to simply take the supplier’s promises at face value. It is advisable to get details of the supplier’s security policies and procedures, and ask whether they will allow a PFI to look into their systems in the event of a breach.
It's important to note that even if hackers manage to break in via a third-party tech supplier, it is the business that suffers the breach that is on the hook for the investigation and any penalties.
3. Data management
The amount of customer data available to businesses has grown exponentially in the past decade thanks to the rise of ecommerce and smartphones.
If there isn’t an obvious need to collect or store a particular set of data, then it should be deleted.
Businesses often assume that all customer data is useful, as it could reveal something about their customers’ behaviours or buying habits that might help the company be more successful in future. However, the speakers said that businesses should resist the temptation to collect and store all the data that they’re legally entitled to, as it makes data management more complicated and potentially riskier.
Instead the speakers advocated data minimization. If there isn’t an obvious need to collect or store a particular set of data, then it should be deleted. This makes it easier for companies to keep track of their data inventory and reduces the likelihood that a data breach will occur.
According to one of the speakers: “Ideally you should use software to run an automated data clean-up, as you will find data hidden in places where you didn’t even know it was being stored.”
4. Incidence response plan
In the days and weeks following a data breach, businesses will have to scramble to overcome a lot of difficult hurdles. It’s a painful process, but one that can be made slightly easier if businesses have a crisis management plan in place.
As one of the expert speakers aptly put it: “You can’t expect to just wing it in an emergency.”
Businesses might consider having a practiced, choreographed process that they can implement as and when they suffer a breach. This might involve having an off-site event where senior leadership run a simulation to rehearse their roles and responsibilities.
The plan should answer questions including:
Who should be involved in the crisis management team?
Which third-party will carry out the forensic investigation?
How will the business communicate with employees, regulators and customers?
5. Work closely with your acquirer
In the event of a data breach, businesses need to work closely with their acquirer during the subsequent PCI investigation.
For this reason, it’s important to notify your acquirer as soon as you suspect your business’s systems might have been hacked. Even if it turns out that your fears were unfounded, it’s always better to err on the side of caution.
It’s impossible to be completely protected from a data breach, but by planning for such an event, businesses can at least make sure that they are in the best place to respond quickly and limit the potential damage.
What’s your Strong Customer Authentication strategy?
Like all regulation, Strong Customer Authentication (SCA) brings new challenges. But with the right strategies in place, merchants can be compliant, help reduce fraud and offer secure payments. For more information, see our whitepaper: Demystifying the payment landscape: PSD2, SCA and the security challenge.