When a prospect or customer shares personal data with a business, they expect their information will be stored securely, kept safe from vulnerabilities, and used only for the purposes with which it was collected. Whether this data is an email address, a birthday, a personal identifier, or credit card numbers, the weight of trust placed on this information is the same.
With these expectations, it's no surprise that a data breach is every organization’s nightmare. Unfortunately, they’re becoming much more common. According to the website Breach Level Index, almost 15 million data records were compromised between 2013 and 2018. A mere 4% of those records were encrypted, meaning "the stolen data was rendered useless."
And the rate of exploited vulnerabilities and massive breaches isn't going to slow down any time soon. Just check the news! This month’s Capitol One data breach affected 106 million customers with data collected from credit applications (see: Krebs on Security). In June, Evite was breached with 101 million email addresses stolen, as well as phone numbers, birthdays, and even some unencrypted passwords.
If you’ve recently detected a data breach or vulnerability in your network and think customer data has been exposed as a result, keep calm and read this blog. We’ll highlight the different types of customer data exposure you may experience, then walk through six steps you should take to remain aligned with industry, customer, and compliance expectations.
There are several ways data can be exposed: from within your organization, from an exposed public database, and through a full-fledged data breach. To figure out which one you’re dealing with, you’ll want to ask your IT team or cybersecurity experts a few questions. Did the source of the breach come from inside or outside the business? What is the scope? Which areas of the business were affected? Finally, how much data was potentially affected?
Not sure what qualifies as an internal vs. external exposure? Here are some guidelines.
Did the exposure of customer data come from inside your private network (i.e., "the phone call came from inside the house")? This type of exposure could include internal threats, like rogue employees, curious third-party vendors with too much access, a snoopy coworker, and so on. Signs of internal exposure can include an employee who emails sensitive documents to his home computer, a spreadsheet containing social security numbers that’s shared with a spouse, or a reseller that stores customer passwords in plain text on an internal server.
Related Reading: 6 Users to Put on Your Security Watch List
A forensic investigation may need to be held to determine the scope of an internal breach, but it can be a relief if the data wasn’t leaked outside of the organization. Data breach notifications to affected customers may still be necessary; you’ll want to check local and federal notification laws to see what’s expected – but the cause of the vulnerability may be much easier to fix (e.g., by restricting access or providing employee cybersecurity awareness training) and prevent in the future.
Sadly, this is a common type of external exposure. A data breach can happen when a folder or database on a public server isn’t properly secured or changed from default permissions. Sometimes, the database is found through an internet search; other times, it’s found clicking around an organization’s website or FTP server (like FileZilla).
Need a real-life example? Just this year, Dow Jones exposed a database with 2.4 million records by keeping it on an unsecure public server.
An exposed database is considered a vulnerability and can be exploited if discovered—but if you find the weakness first, fix it, and can prove that no one else accessed, tampered, or copied down the data, especially if the exposed information is encrypted, it may not be considered a breach. Again, check your local and industry standards to determine what applies to you.
This type of exposure is the one you frequently hear in the news: a hacker has infiltrated your organization through ransomware, malware, an unsecure back door, a phishing email, etc. From there, they’ve been monitoring and copying data anywhere from days to weeks to years!
If you find yourself victim to a full-fledged data breach and identify that customer data has been affected by the incident, you’ll need to follow protocol for notifying customers so they can change their passwords, implement credit monitoring, cancel their credit cards, and so on.
If you think customer data has been exposed, don’t panic. Instead, follow these six steps to quickly, effectively, safely, and correctly respond to the event.
1. Determine what the vulnerabilities are, where they are, and fix them.
For example, if the breach was caused by an unencrypted server, implement better encryption practices.
2. Once the breach is no longer active (meaning you’ve cut off the source), determine what kind of customer data was exposed.
Emails? Phone numbers? Health records? Credit data? Personal identifiers, like social security numbers?
3. Look up the data breach notification laws that apply to your location, industry, and country.
Some laws require notice without 48 hours, while others provide a little more leeway (e.g., 30-45 days). If you're in the U.S., here’s a handy guide to state data breach notification laws.
4. Within the data breach notification law period, inform afflicted customers via. email and letter.
This will allow customers to take action to protect themselves, such as by changing their password, getting credit monitoring, freezing cards or credit information, etc. It will also help you avoid any fines or penalties that come with not informing those affected by a breach.
5. Inform employees so they know how to talk to customers (and the public) about the data breach.
6. Update your cybersecurity strategy to avoid future issues.
This could include implementing better security solutions for data encryption, network monitoring, password policies, and more.
7. Follow the steps in this article to respond quickly and efficiently to other areas of a breach.
Prevention is the best way to plan for exposures of customer data. To avoid future incidents, take a thorough look at the cybersecurity practices currently implemented throughout your organization and make sure rules are being followed closely. If there are gaps in your plan, find ways to solve them.
Here are a few suggestions to help strengthen your cybersecurity strategy:
If you don’t yet have one, a response plan can be used to put steps in place for a data breach or cybersecurity incident. Read our blog on how to create a response plan to ensure that next time, you know exactly what to do in this situation.