How to Report a Web Security Breach
Do you remember the Best Western security breach from last year? It is still relevant, in that it illustrated a case of what NOT to do when it comes to reporting a security breach.
First, the Best Western hotel chain was quoted in a story that hackers stole eight million credit cards worth roughly 2.8 billion Euros in the Times Online.
Columnist Bernhard Warner wrote: The Herald, we were also informed, notified the hotel chain before publishing the story. The company thanked the paper for its vigilance and closed the breach…
But then Best Western sends out a denial that a security breach ever happened. And a few days after that, the company admits a breach did happen after all, but that only 10 customers from a particular Best Western hotel in Berlin were affected, and that the vulnerability is closed.
Which story are we supposed to believe?
A recent national survey showed that more than 20 per cent of enterprises reported a loss of private data as a result of security attacks and breaches, up from 10 per cent two years ago. Since companies are getting breached all the time, they at least ought to be able to know how to report the incident properly.
For companies facing a data security breach, there are some guidelines on how and when to notify the public, courtesy of the Privacy Commissioner of Canada.
Some highlights from their guidelines on how to report a security breach:
When to notify: Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach. However, if law enforcement authorities are involved, check with those authorities whether notification should be delayed to ensure that the investigation is not compromised.
How to notify: The preferred method of notification is direct – by phone, letter, email or in person – to affected individuals. Indirect notification – website information, posted notices, media – should generally only occur where direct notification could cause further harm, is prohibitive in cost or the contact information for affected individuals is not known. Using multiple methods of notification in certain cases may be appropriate. You should also consider whether the method of notification might increase the risk of harm (e.g., by alerting the person who stole the laptop of the value of the information on the computer).
Who should notify: Typically, the organization that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a third party service provider that has been contracted to maintain or process the personal information. However, there may be circumstances where notification by a third party is more appropriate. For example, in the event of a breach by a retail merchant of credit card information, the credit card issuer may be involved in providing the notice since the merchant may not have the necessary contact information.
Adapted from the Pacific Coast Informer Blog
Webinar on July 22: Using IT for Competitive Advantage
This webinar will focus on the approaches and directions applied by business and IT leadership to achieve competitive advantage including stakeholder planning, analysis, design, and development disciplines, and successful implementation of specific technologies such as database-driven portals to achieve business objectives.
How to Register
1. Go to http://boonbox.webex.com/meet/boonbox
2. Click "Show All Meetings".
3. Click the "Register" link on the right in the Status column for "Using IT for Competitive Advantage" and fill in the short registration form. You will be sent your registration confirmation information and instructions on how to participate.
Who Should Register: Business owners and executives concerned with improving productivity and streamlining operations through better use of IT solutions.
As an additional benefit of signing up for this webinar, you will also receive a complimentary subscription to our newsletters, Cyber Security Informer and Pacific Coast Informer
Get more information about the "Using IT for Competitive Advantage" webinar
Ask A Security Expert
"Why do I ever need to go back into my social networking sites or free email accounts to check my security settings?"
Not only do you need to go back into your various accounts to check that the settings are secure; you really need to do so on a regular basis, ensuring your information is up-to-date, your passwords are strong and that you never, ever, tell the truth when answering security questions (even better if your answers have absolutely nothing to do with the questions!). Checking on a quarterly basis would be a good idea.
But the question was "why" this is necessary, so here's your answer: hackers can take advantage of vulnerabilities in your old settings that you never thought of. For instance, one recent hacker who gained access to the private documents of more than 300 companies used a fairly simple technique exploiting poor password security and forgotten alternate email address settings. The technique is described in scary detail at Could You Be Hacked Like Twitter?
In this case, abandoned free email accounts and use of easily-guessed passwords used for multiple accounts allowed the hacker to gain access to the private information of the users. This led to security breaches for the companies that the victims worked for.
This is just another example of how security awareness for employees is a must-have, whether or not they're using company hardware and accounts or using their own personal networking sites.
If you would like more information about how to keep your organization secure, contact us.
Weekly Feature - Hacker Bait
The latest Hacker Bait list contains highly trafficked websites that have been found to have vulnerabilities that hackers and cyber criminals could exploit.
This is not a complete list of all vulnerable sites on the Internet, but only represents websites where vulnerabilities were found within the past 90 days. These are only the latest additions to an ever-growing club of sites found to be insecure according to various public sources and online tools used in the web security industry.
If you would like more information on our data and why these sites are listed here, please contact PCIS
Hacker Bait Sites With Vulnerabilities Discovered in Past 90 Days
about.com
actiontrip.com
affiliatefuture.com
allnetworkpass.com
alphalove.org
ancestry.com
arabnews.com
asianproducts.com
atimemedia.com
auctionzip.com |
autodesk.com
autoweek.com
awardspace.biz
aweber.com
bannerconnect.net
berkeley.edu
bestfreewaredownload.com
bestofjoomla.com
bestshareware.net
bioportfolio.com |
Other ways to stay connected
About Boonbox
Boonbox is a division of Pacific Coast Information Systems Ltd., specializing in products for web security, network security, password management and data backup.
PCIS is a Vancouver-based company which provides strategic consulting, application development, technology solutions and managed services to companies and government organizations throughout North America.
How to Subscribe/Unsubscribe to the Informer
SUBSCRIBE: To subscribe to the Cyber Security Informer, send a blank email message with subject line "SUBSCRIBE" to informer@pcis.com
UNSUBSCRIBE: If you do not wish to receive future issues of the Cyber Security Informer, send a blank email with subject line "UNSUBSCRIBE" to:informer@pcis.com and we will promptly remove you from our distribution list.
WE WANT YOUR FEEDBACK: Our purpose for providing this free service is to keep our clients and business contacts informed of technology developments. This information can help them resolve common problems and achieve their full potential by strengthening their business processes and infrastructure. Your input is important to us and we welcome your ideas for new features and how we can continue to improve our service to you. Send your comments and suggestions to informer@pcis.com or contact us directly at 604.844.7558
|
