Data is the most elusive kind of asset in the modern economic world. Unlike physical goods, data does not disappear once it is stolen. Sometimes, the truth – or the full extent of the truth – remains unknown for months, weeks or even years. For example, Yahoo did not learn the true extent of its 2014 data breach for almost two years14 – and they found out about it while investigating another security incident.
Data breaches can remain undetected for a long time. Oftentimes, even if the vulnerability that made a data breach possible is discovered (for instance, through penetration testing), it is impossible to tell if it has already been used by a malicious actor or not.
As the value of data has increased, so has the value of cyber intelligence activities. Stolen data often shows up for sale on dark web forums and in hacker communities shortly after it is stolen. The use of experienced covert agents, who can maintain a presence in such communities, is a valuable tactical option that can ensure timely mitigation of any breach.
It is important to point out that, once customer data shows up for sale or exchange, we are already talking about mitigation. Some proactive measures can be taken to make stolen data more difficult to use (for example, data can – and should – be encrypted), but once data is stolen, whether or not it can be used is merely a matter of resources.
However, the conduct of a company following a data breach can make a great difference. Kaspersky’s study15 reveals that almost half of the surveyed companies affected by a security breach had to disclose it to affected customers, and more than one third had to disclose it to customers in general.
Furthermore, timely disclosure can give a company a significant advantage in its post-disclosure PR efforts; Yahoo, for instance, was heavily criticized for failing to adequately disclose its breach. In contrast, in a more recent incident, CloudFlare’s conduct following their data leak incident in February 2017 was viewed a lot more favorably. The incident was disclosed to all interested parties – in fact, CloudFlare specifically targeted users of some more popular partner services, such as Uber, and recommended that they change their passwords – and the issue that caused the data leak was quickly and transparently patched.
In CloudFlare’s case, the leak was detected by a benevolent party (Google discovered it as part of its Project Zero16 initiative). Still, not everyone was as fortunate: in 2012, LinkedIn17 found itself not in the difficult, but manageable position of disclosing a data leak, but in the far less enviable position of confirming one, after the data was posted by the hacker who had stolen it on a hacker community’s forum. Furthermore, because adequate protection techniques were not employed for user passwords18, the login credentials of users who employed common passwords (such as dictionary words) were very quickly decrypted. One can certainly argue that this was partly the users’ fault, but once data is on a company’s servers, protecting it becomes its responsibility, not the users’. Furthermore, a company whose security has just been breached is generally not in a position where it can publicly criticize its users’ security without causing significant damage to its reputation.
The existence of disclosure channels and best practices in this regard suggests that a data breach, while a very serious and troubling event, is not necessarily the end of the road for a company. If accurately and timely communicated, the effects of a security breach can be mitigated. As we have already seen, some loss of reputation (at least temporary) is inevitable; however, if proper security measures are taken, it is at least possible to guarantee that an identical incident will not happen again.