What’s worse — a company that waits three years to let its customers know they’ve been breached, or a data protection office that’s forced to turn an investigative eye on itself? The answer: They’re both equally concerning.
Still more troubling is that these are not hypothetical situations. They both happened, and on the same day, no less.
Three Years is a Long Time To Wait
For all business owners out there, the ideal scenario would find you never suffering a breach, thanks to the strength of your enterprise security system. But the reality is that many companies don’t take the proper measures to ensure the safety of their organization and therefore all but set themselves up for attack. When that attack does eventually happen, the enterprise will be forced to put a plan in place to bounce back.
Dealing with the fallout of a malicious incursion can make or break a business. There are, after all, a host of factors to consider in the recovery from a breach, including making sure the problem is contained and determining what, if anything, was lost. But by far the most important step any attacked company must take is communication — that is, letting every relevant person or group know about the attack. If customer data was compromised, those consumers should find that out immediately. Otherwise, a business looks at best unprepared, and at worst downright deceptive.
A recent failure by an Australian website to notify customers of a breach falls into this latter category. That’s because the company — Catch of the Day — waited a full three years to let people know they’d suffered an intrusion that put customer credit cards and passwords at risk, according to ZDNet.
“Data security is very important to us, which is why we need to let you know about some developments affecting member accounts created before 7 May 2011,” the breach notification read.
The statement revealed that a cyberattack in early 2011 placed customer data in jeopardy. But far from being ignorant of the intrusion when it had happened, the company said they’d taken measures back in 2011 to deal with it, including reach out to police and inform banks. They’d done everything right, except that somewhere down the line they decided to ignore the most important step in breach recovery: being transparent with customers.
A three-year interlude between incident and notification is likely one for the record books, and Catch of the Day now holds that shameful title. The company’s decision to withhold information for so long is inexcusable and the business’ reputation will suffer accordingly.
Data Watchdog Group Fails to Prevent its Own Breach
In other embarrassing security news, a British office charged with investigating security incidents has admitted to being attacked itself, according to PCPro.
In its “Annual Report and Financial Statements for 2013/2014,” the Information Commissioner’s Office spent most of the report detailing the breaches it had investigated. In the middle of the document, though, under a heading entitled “Personal data incidents,” the group admitted to suffering its own security incident, which, it was quick to point out, was minor in nature.
“There has been one non-trivial data security incident,” the report stated. “The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others.”
It is commendable that the group was forthright about its attack and did not attempt to make excuses about it. However, there’s a cruel irony in a security investigation committee having to turn its focus inward and this could lead to a loss of credibility for the group.