Data PrivacyImportance of Data Management and Crisis Response Management

INTRODUCTION

Data breaches have become quite common, especially since in this digital age, data is power. Cyber-attacks, insider threats, privacy breaches are as common as everyday thefts and break-ins. In this scenario, there have been instances where such attacks and threats have been repelled and neutralized. There are also some instances where after a significant data leak, strong recovery measures were adopted so that such events do not repeat in the future.

Data breaches are events wherein an institution’s database, which contains sensitive information, is either directly or indirectly leaked. This breach is primarily committed by cyber-criminals and subsequently, in the event of a breach, the leaked data is used for unlawful purposes. In this article, the importance of crisis response management is discussed in the eventuality of a data leak and how a successful crisis response can contribute to mitigate the aftermath of a data breach.

INSTANCES OF CYBER ATTACKS

In these following instances, attempted cyber-attacks to cripple an institution were successfully repelled.

1. AIIMS, Delhi

In June 2023, AIIMS, Delhi was under attack by cybercriminals for the second time in a year. However, in this case, the cyber-attack was neutralized with the help of advanced firewall measures. The internet services at the hospital remained blocked for several days as Delhi Police joined the investigation with Indian Computer Emergency Response Team (hereinafter referred to as “CERT-In”) and National Informatics Centre (hereinafter referred to as “NIC”).

The cyberattack led to the disruption of many services, especially online-based processes. However, soon after the hospital launched Standard Operation Procedures (SoP) for manual admission and discharge procedures.

2. US Treasury

In October 2022, the US Treasury successfully thwarted a Distributed Denial-Of-Service (hereinafter referred to as “DDoS”) attack from a Russian hacker organization that attempted the attack.

3. Google, Amazon, Cloudfare

The Google Cloud was hit by the largest DDoS attack in history, with the digital onslaught peaking at an unprecedented 398 million requests per second (herein after referred to as “RPS“).  Google wasn’t the only one to get hit. Cloudflare, a leading cloud delivery network (hereinafter referred to as “CDN“), and Amazon Web Services (herein after referred to as “AWS“), the world’s biggest cloud provider, also reported getting blasted. Cloudflare fended off a 201 million RPS attack, while AWS held off a 155 million RPS assault. The “Rapid Reset technique” exploited the HTTP/2 protocol’s stream multiplexing feature which is the latest step in the evolution of Layer 7 attacks. This attack works by pushing multiple logical connections to be multiplexed over a single HTTP session.

4. Microsoft and AO3

A similar large-scale DDoS attack affected Microsoft and fan-fiction website AO3 which resulted in Microsoft’s Outlook being defunct for many users. However, Microsoft clarified that the DDoS attack was mitigated and were handled.

MEASURES AND BEST PRACTICES ADOPTED AFTER A DATA BREACH

 As mentioned hereinabove, a data breach is the release of confidential, private, or otherwise sensitive information into an unsecured environment. A data breach can occur accidentally, or as the result of a deliberate attack. However, if an institution is prepared well enough with what needs to be done after a data breach occurs, it can minimize the aftershock of and can start to incorporate some measures to ensure the same doesn’t happen again. Institutions are advised to do the following:

1. Confirm the Breach

According to one survey of SOC professionals, approximately 50% of breach reports are false positives. Investigating false positives can utilize the security team’s time and budget. Therefore, it is advisable for a security team to confirm that a data breach has  occurred before assembling a task force.

2. Assemble a Task Force to Handle the Situation

This keeps all response and recovery efforts centralized. If a data beach occurs, it is advisable to  have an incident response plan that includes defined roles for each member that will help accelerate your response.

3. Isolate Affected Machines and Accounts

If a virus affects a particular machine, one must immediately disconnect it from the network.  It is advisable to temporarily disable affected accounts or limit their permissions. Additionally, one must isolate the segment of the network that has been affected.

If  the computer has been unplugged from the network (ethernet, Wi-Fi, or Bluetooth), one must not shut down the power to the device unless they are directed to do so. Investigators may want to check out the machine first, while they try to figure out how the attack happened and how extensive the damage is.

4. Examine the Evidence

Once the breach is contained, preserve, and examine the evidence. Take notes and create a timeline of events. At this point,   one must contact law enforcement or the appropriate authorities. By keeping the evidence intact, one would have  better chance of tracing the malicious actor.

5. Fix the Vulnerabilities

If the breach exploited a vulnerability in the system,  it is important to correct that and look for other possible vulnerabilities a future attack may exploit. This may include starting a cybersecurity awareness program.

6. Notify Affected Parties

Security breaches, in which data loss took place, often mean that companies are required by law to notify affected parties, usually within a given period. It is advisable to not neglect this step. Failing to provide the proper notifications can threaten to further damage consumer trust or the company’s reputation and lead to costly fines.

DATA BREACH CRISIS RESPONSE MANAGEMENT

The Situational Crisis Communication Theory (herein after referred to as “SCCT”), holds that “attributions of crisis responsibility have a significant effect on how people perceive the reputation of an organization in crisis and their affective and behavioral responses to that organization following a crisis”.

A data breach has far reaching consequences which affects long term trust on the institution. However, these can, to an extent be mitigated with the help of a crisis response team. Typology of crises is based on initial organizational responsibility: victim crisis, accidental crisis, and preventable crisis. Each crisis type links to a predetermined communication response strategy which can handle the crisis.

Data breaches by hacking find themselves halfway between the victim crisis type and the preventable crisis one, in the accidental crisis cluster, which presumes low direct controllability and no intentionality. A corporate response posture to data breaches (by hacking) would then first resort to base responses (adjusting and instructing) coupled with either diminish or rebuild strategies.

PROCESS AND IMPORTANCE OF DATA MANAGEMENT

The process of gathering, storing, organizing, and preserving data to assist analysis and decision-making is referred to as data management. Given today’s exponential development of data, proper data management methods are critical for integrating diverse types of data, ensuring data quality and integrity, reducing mistakes and duplication, and adhering to legal and ethical norms.

The common steps involved in creating data management strategies are-

1. Identifying business objectives

Creating strong data processes

• Collection of data
• Analysis of collected data
• Preparation and storage of data.
• Careful channeling/distribution of data

1. Implementing the latest technology

2. Data governance policies

• Data quality
• Data security
• Data privacy
• Data transparency

1. Employee training and execution

A well-rounded data management plan is essential for the functioning of any institution.

• Increases productivity: Having a data management strategy helps boost productivity as data is seamlessly transferred within an organization without fear of breach. Also, it allows for the safekeeping of data for future use.
• Cost efficiency: By avoiding unnecessary duplication, an institution can effectively be more cost-efficient by adopting data management strategies.
• Reduces data loss/breach: By adopting data management strategies, institutions can reduce the loss of data and also prevent data breaches.
• Accurate decision-making: Many organizations use different sources of information for planning, trend analysis, and managing performance. Within an organization, different employees may even use different sources of information to perform the same task if there is no data management process and they are unaware of the correct information source to use.

CASE STUDIES OF SIGNIFICANT DATA BREACHES

A comparative analysis is made of the data breaches of Target, Anthem and Yahoo. To understand these cases, the following questions are attempted-

1. What kind of security measures existed before the breach?

2. What was the nature of the attack?

3. What was the fallout of the attack?

4. What measures did the institution take to overcome the hurdle?

5. Comprehensive Analysis

A. TARGET DATA BREACH (2014)

1. Security measures existing before the breach-

Network segmentation, firewalls, malware detection suites, among others, as well as compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Further, to counteract  suspicious  activity  due  to  unauthorized  access,  Target  had  invested  $1.6  million  in  the  FireEye  system,  which  created  virtual  chambers  that  lured  hackers,  so  they  could  be  detected before they penetrate a system.

2. Nature of the attack-

 Hackers had installed  BlackPOS, a  memory-scraping  malware  designed  to  capture  credit  and  debit  card  data  on  compromised  point-of-sale  terminals. Theft  of  over  40  million  consumers’  PII,  including  credit  and  debit  cards  used  to  make purchases in US stores had occurred.

3. Fallout-

Target suffered heavy financial penalties of  $252  million,  reduced  customer  confidence,  and  a  drop  in  stock  prices.

4. Recovery measures taken-

Target realized that there was a need for more secure POS terminals, stronger networking standards. Further they realized the need to reconfigure their Information Technology structure to reflect a more secure model. Following measures were taken:

• Implemented two-factor Authentication
• Pin-and-Chip implementation
• Enhanced logging and monitoring system
• Whitelisting on POS terminals
• Network segmentation
• Introduced RED Card which is a more secure credit card

5. Analysis-

In this case, it is speculated that had the response team at Target taken the alerts given by their firewalls seriously, the data breach could have been avoided.

Further, a key point is the usage of a vendor account to infiltrate the system. Hence, even vendors associated with a company need to take measures to protect against cyber-attacks.

B. ANTHEM DATA BREACH (2015)

1. Security measures existing before the breach-

Anthem used  ‘TeraData’  for its data warehousing infrastructure,  which came with a  number of security controls,   including user-level security controls,   role-based access controls,   encryption mechanisms,  along auditing and monitoring features.

2. Nature of the attack-

The hackers involved in this attack was a Chinese group of hackers. The attack was carried out by phishing. First, they compromised the accounts of a Data Administrator at Anthem. Through access to this account, the data breach was committed. PII (including social security numbers, medical IDs, birthdates, addresses,  and detailed employment and income data) of nearly  80  million  Americans were breached.

2. Fallout-

Anthem faced several civil-class lawsuits,  which resulted in an agreement to pay  $115  million in damages. However, they also suffered severe loss to their reputation.

3. Recovery measures taken-

The federal judge adjudicating the matter ruled that Anthem needed to publicly state what measures were taken after the breach. The following were the measures taken-

• Resetting all passwords for associates and contractors
• Re-issuing new IDs and passwords  for  users  with  escalated  privileges
• Implementing a  three-tier  authentication  model  along with one-time, limited-duration passwords for elevated privileges of user access
• expanding security logging  and  monitoring  capabilities

4. Analysis

Anthem did not encrypt a  number of their files, and since the database administrator’s account was compromised,  with escalated privileges, it was irrelevant if  Anthem used encryption or not. Further analysis of the breach revealed that five of their employees’ credentials were also compromised, which showed that there were many lacunae in the cyber-security protocol of Anthem.

C. YAHOO DATA BREACHES (2013-14)

1. Security measures existing before the breach

The data breaches, although took place in 2013-14, were not publicly informed. In 2016, when the proposition to sell Yahoo to Verizon arose, the company made a public statement informing of the data breaches that had happened.

The security measures that were adopted by Yahoo before the data breach remains undisclosed. However, given the nature of the breach as discussed hereunder, it was apparent that Yahoo’s security team, and their management, failed to pursue investigation of the data breach.

2. Nature of the attack

The data breach in 2013 was allegedly done by a state sponsored hacker organization, which Yahoo did not reveal the name of. The attack was done through forged website cookies wherein three billion user accounts were actually compromised in the attack.

3. Fallout

The company had to pay $117.5 million as restitution to settle the lawsuit against it. This further burdened the company’s financial health as there was a massive reduction in the price of the acquisition of Yahoo by Verizon.

4. Recovery measures taken-

After the first data breach, the company was in the process of uncovering the extent of damage dealt, when the second attack was made. Yahoo lost its identity and the liability and responsibility for cybersecurity and the legal settlements was accepted by Verizon.

5. Analysis

Upon careful analysis of the data breach incident at Yahoo, it can be inferred that the company could have survived if a proactive approach was taken to address and resolve the data breach that took place in 2013-14. Since a proper recovery strategy was not adopted, Yahoo lost its identity and goodwill.

AMLEGALS REMARKS

In today’s digital world, any individual or organization can become a victim of cyber-attack. It is just a question of ‘when’. Corrective costs for poor data management and protection can be enormous, with a single incidence costing millions of dollars.

In this scenario, it is necessary for companies and other institutions to manage their users’ and employees’ data, and to invest in robust cyber-protection, data management regimes, and protocols to handle data efficiently. The basic causes of faulty data and data loss are a lack of a data protection and management system, or a low-quality plan or system. Instead of being proactive, most firms are reactive, which costs them much more in the long term.

Thus, it is advisable to take the precautionary measures and conduct the penetration and vulnerability assessments to safeguard the data.

– Team AMLEGALS assisted by Mr. Sashwat Banerjee 

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com