It's become the norm: another week, another breach. Most recently, the credit scoring and reporting agency Equifax revealed it had been the victim of a dramatic hacking incident, putting the personal data of up to 143 million US citizens at risk. It was also suggested that up to 400,000 UK-based customers could be affected.
Although the Equifax breach was certainly not the biggest incident of its kind in the past few years, it was arguably the most dangerous. Enough of consumers' sensitive personal data is now in the wild that their identities can be stolen, including social security and driver's licence numbers, addresses, and more.
What makes the situation even worse for Equifax is the fact that it took months for the organisation to confess, which means that millions of people were at risk without knowing it. With just eight months (and counting) to go until the European General Data Protection Regulation (GDPR) comes into force, it's critical that businesses look to previous breach incidents, such as Equifax, to learn some highly valuable lessons.
Preventing the preventable
From a technology point of view, the disheartening reality is that most breaches are preventable. In this instance the breach was made possible by an Apache Struts vulnerability first announced in March.
However, when a breach does occur, a solid remediation plan is needed. On 25th May 2018 the Data Protection Act (DPA) will be replaced by the EU's GDPR, which will offer greater data protection scope for consumers in addition to tougher penalties for those who fail to comply with laws around the handling and storing of personal data.
Under GDPR, organisations must notify customers and authorities of a breach within 72 hours of becoming aware of the attack. This will transform how breaches are handled: companies like Equifax will no longer have the luxury of months to craft a self-serving response.
Aiming for accuracy
In a situation where they are required to notify customers within 72 hours, organisations may act in one of two ways. They will either be scared of facing large fines and will over-notify their customers – a prime example being the TalkTalk incident last year, in which the company announced the breach without knowing how many customers were affected and to what extent – causing huge brand and market valuation damage.
Alternatively, businesses will attempt to minimise the notification as much as possible, downplaying the overall impact on customers. However, if organisations select the latter option of downplaying a breach, they could be fined up to four percent of their global revenue—the GDPR penalty. To ensure that businesses do not over-share or risk a hefty fine, notifications need to be crafted as accurately as possible and delivered within the 72 hour time limit so that consumers are not left in a position of risk and further vulnerable to exploitation.
No place to hide
Although it will take some time to interpret certain aspects of the regulation, Article 33 is clear: breach notifications must be made in less than 72 hours. This means that from the outset, systems must be in place to provide answers as soon as things go wrong, and policies must be in place to enable accurate and timely communication of the facts.
It's time for companies to wake up to reality: it's likely every business will experience a data breach at some point, if they haven't already. The key thing for all businesses to remember when it comes to ensuring compliance with GDPR and dealing with breaches, is that it is becoming increasingly difficult to identify exactly how a breach has occurred. To deliver truly accurate notification to authorities, organisations everywhere need to enable a complete view of network activity in real-time, with the ability to pinpoint the cause and potential repercussions of issues as soon as they are detected.
Contributed by James Barrett, Senior Director EMEA, Endace
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.