How to respond to a data breach

In the UK the average cost of a data breach has grown to over £2.5 million and the reputational harm a breach does to a business can be even worse.

A data breach is a security incident in which information is accessed without authorisation. In the last few years millions of personal details have been stolen. Organisations targeted and breached include; British Airways, Yahoo, Facebook, Dixons Carphone, Marriot Hotels, eBay, Equifax and Travelex.

• Sensitive business data: Information that could impact the reputation or profitability.
• Financial information: Customer bank details, debit or credit card information.
• Personally Identifiable Information (PII): Examples include full name, National Insurance number, bank account number or email address.
• Protected Health Information (PHI): Medical information that identifies an individual.

• Determine the scale of the breach: What data and how many records were compromised.
• How was the data exposed: Trace the path of the attacker, did they move from one system to another? Police cybercrime units can offer expert advice – ask for support.
• Document everything: Who, what, when and why is needed for external agencies but, committing pen to paper will also identify the next logical steps and support a response to future incidents by identifying the appropriate corrective actions.
• Isolate compromised systems: Once isolated, attempt to sanitise them. If an application vulnerability is being exploited, take the application offline. If a malicious insider has leaked information, cut off their access to the organisation’s network.
• Instigate business continuity plan. Determine what critical processes must take place and the data these processes need. Have work-arounds been planned out in advance?
• Never underestimate how long an attacker has been entrenched in your systems and what damage may be done.
• Never log into an infected machine with administrative credentials or plug in your backup.

• Breaches need to be reported to the Information Commissioner’s Office (ICO) and to individuals if they pose a ‘high risk’. Risk refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
• You must notify the ICO within 72 hours and affected individuals without ‘undue delay’.
• If a crime has been committed, contact Action Fraud.
• If your organisation is affected by industry regulations, other 3rd parties might need informing, seek legal advice if in doubt.
• Determine ways for affected individuals, third parties and the media to make contact.

Security is a major concern for all businesses and creating a secure IT environment should be at the top of any business agenda. For more information about how TiG Data Intelligence can help your business take a look at the Guardian page or contact us.