Filter by Category

Think Your Customer Data was Exposed? Follow These Steps

Has your customer data been exposed to a breach? Here’s what you should do.

When a prospect or customer shares personal data with a business, they expect their information will be stored securely, kept safe from vulnerabilities, and used only for the purposes with which it was collected. Whether this data is an email address, a birthday, a personal identifier, or credit card numbers, the weight of trust placed on this information is the same.

With these expectations, it's no surprise that a data breach is every organization’s nightmare. Unfortunately, they’re becoming much more common. According to the website Breach Level Index, almost 15 million data records were compromised between 2013 and 2018. A mere 4% of those records were encrypted, meaning “the stolen data was rendered useless.”

And the rate of exploited vulnerabilities and massive breaches isn't going to slow down any time soon. Just check the news! This month’s Capitol One data breach affected 106 million customers with data collected from credit applications (see: Krebs on Security). In June, Evite was breached with 101 million email addresses stolen, as well as phone numbers, birthdays, and even some unencrypted passwords.

If you’ve recently detected a data breach or vulnerability in your network and think customer data has been exposed as a result, keep calm and read this blog. We’ll highlight the different types of customer data exposure you may experience, then walk through six steps you should take to remain aligned with industry, customer, and compliance expectations.

First, Identify the Type of Customer Data Exposure You’re Dealing with

There are several ways data can be exposed: from within your organization, from an exposed public database, and through a full-fledged data breach. To figure out which one you’re dealing with, you’ll want to ask your IT team or cybersecurity experts a few questions. Did the source of the breach come from inside or outside the business? What is the scope? Which areas of the business were affected? Finally, how much data was potentially affected?

Not sure what qualifies as an internal vs. external exposure? Here are some guidelines.

1. Internal Exposure

Did the exposure of customer data come from inside your private network (i.e., "the phone call came from inside the house")? This type of exposure could include internal threats, like rogue employees, curious third-party vendors with too much access, a snoopy coworker, and so on. Signs of internal exposure can include an employee who emails sensitive documents to his home computer, a spreadsheet containing social security numbers that’s shared with a spouse, or a reseller that stores customer passwords in plain text on an internal server.

Related Reading: 6 Users to Put on Your Security Watch List

A forensic investigation may need to be held to determine the scope of an internal breach, but it can be a relief if the data wasn’t leaked outside of the organization. Data breach notifications to affected customers may still be necessary; you’ll want to check local and federal notification laws to see what’s expected – but the cause of the vulnerability may be much easier to fix (e.g., by restricting access or providing employee cybersecurity awareness training) and prevent in the future.

2. External Exposure – Database on Public Server

Sadly, this is a common type of external exposure. A data breach can happen when a folder or database on a public server isn’t properly secured or changed from default permissions. Sometimes, the database is found through an internet search; other times, it’s found clicking around an organization’s website or FTP server (like FileZilla).

Need a real-life example? Just this year, Dow Jones exposed a database with 2.4 million records by keeping it on an unsecure public server.

An exposed database is considered a vulnerability and can be exploited if discovered—but if you find the weakness first, fix it, and can prove that no one else accessed, tampered, or copied down the data, especially if the exposed information is encrypted, it may not be considered a breach. Again, check your local and industry standards to determine what applies to you.

3. External Exposure – Full-Fledged Data Breach

This type of exposure is the one you frequently hear in the news: a hacker has infiltrated your organization through ransomware, malware, an unsecure back door, a phishing email, etc. From there, they’ve been monitoring and copying data anywhere from days to weeks to years!

If you find yourself victim to a full-fledged data breach and identify that customer data has been affected by the incident, you’ll need to follow protocol for notifying customers so they can change their passwords, implement credit monitoring, cancel their credit cards, and so on.

What to do if You Think Customer Data has been Exposed

If you think customer data has been exposed, don’t panic. Instead, follow these six steps to quickly, effectively, safely, and correctly respond to the event.

1. Determine what the vulnerabilities are, where they are, and fix them.

For example, if the breach was caused by an unencrypted server, implement better encryption practices.

2. Once the breach is no longer active (meaning you’ve cut off the source), determine what kind of customer data was exposed.

Emails? Phone numbers? Health records? Credit data? Personal identifiers, like social security numbers?

3. Look up the data breach notification laws that apply to your location, industry, and country.

Some laws require notice without 48 hours, while others provide a little more leeway (e.g., 30-45 days). If you're in the U.S., here’s a handy guide to state data breach notification laws.

4. Within the data breach notification law period, inform afflicted customers via. email and letter.

This will allow customers to take action to protect themselves, such as by changing their password, getting credit monitoring, freezing cards or credit information, etc. It will also help you avoid any fines or penalties that come with not informing those affected by a breach.

5. Inform employees so they know how to talk to customers (and the public) about the data breach.

6. Update your cybersecurity strategy to avoid future issues.

This could include implementing better security solutions for data encryption, network monitoring, password policies, and more.

7. Follow the steps in this article to respond quickly and efficiently to other areas of a breach.

Protect customer data with automated security solutions that help you stay ahead of ever-changing threats.

Explore Cybersecurity Solutions

How to Avoid Future Customer Data Exposures

Prevention is the best way to plan for exposures of customer data. To avoid future incidents, take a thorough look at the cybersecurity practices currently implemented throughout your organization and make sure rules are being followed closely. If there are gaps in your plan, find ways to solve them.

Here are a few suggestions to help strengthen your cybersecurity strategy:

  • Use encryption at rest so data cannot be read if compromised
  • Restrict access to only the people who need it
  • Follow data retention laws and don't keep data longer than you need to
  • Ensure employees are educated on security concerns and email practices
  • Patch your systems and hardware frequently to avoid vulnerabilities
  • Audit, audit, audit - know what employees and vendors are doing

Create a Data Breach Incident Response Plan

If you don’t yet have one, a response plan can be used to put steps in place for a data breach or cybersecurity incident. Read our blog on how to create a response plan to ensure that next time, you know exactly what to do in this situation.

Data Breach Incident & Response Plan Templates


Related Posts


3 Data Breaches That May Have Been Avoided through PCI DSS Compliance

  “Dear Valued Customer, As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using…


5 Ways to Protect Your Financial Organization from a Data Breach

While several industries, including business and education, make up a big portion of yearly data breach counts, banks and credit unions aren’t left risk free. According to the Identity Theft…


8 Ways to Protect Your Healthcare Organization from a Data Breach

Last year there were 328 data breaches of healthcare organizations. That’s a new record, up from 268 the previous year. In these breaches, the records of approximately 16.6 million Americans…


Data Breach and Incident Response Plans | 2019 Templates & Best Practices

Every year, organizations hope that statistics for data breaches will improve, that things will be better than the year before. And every year, they are dismayed to discover that even though…


How to Prevent Data Breaches with MFT | Checklist and Plan

You know what a data breach looks like in the movies.A character’s computer is suddenly overtaken by lines of green code. Windows and browsers pop up at lightening speed, as if the PC itself were…