If you're reading this blog, there's a good chance you're familiar with the topic of data breaches; they regularly make the headlines and cause a lot of extra work for IT, security and other staff in affected companies who battle to identify, contain and eradicate the attack.
But while the news stories carry the attack's immediate impact, we're rarely aware of the long-term cost to the organization and its staff, both personal and financial. But that is a story that needs to be told because the data breach itself is only the beginning of what can be a very long road for the company, its employees, and its clients.
Changing the Name to Protect the Not-So Innocent
This blog is based on a true story, but let's change the company's name as there is no need to kick an organization while it's down. So, in the spirit of Wile E. Coyote and the Road Runner, let's call the firm Acme. Acme is a construction company headquartered near Birmingham, UK. It employs just under 1,000 staff split between its offices and customer sites.
In March 2022, Acme became aware that its network had suffered a breach. An observant sysadmin breach identified the breach by noticing some unusual behavior, including account creation with names that the sysadmin could not identify.
Without a proper incident response plan in place, it, unfortunately, took Acme a couple of days before someone of sufficient authority took appropriate action, even though the corporate rumor mill had spread stories that something was amiss.
How bad was the situation? The next step Acme took was dramatic. it opted to close down the company, turn everything off and cease operations. The staff was sent home with the information that "a breach was being investigated."
Acme's clients were left high and dry without even the little bit of info it gave to the workers. Instead, the company told its clients a tale that Acme was undergoing an extensive audit and until it was complete, they would not be able to do anything. Hmmm.
Acme's IT provider was called in to assist with the investigation; such work wasn't in its area of expertise, but it was a lot easier to use a company you have a commercial relationship with than to go out to the market and find someone else… especially when your communication and financial systems are offline. Needless to say, the investigation was long and expensive and the results weren't that conclusive or reassuring.
Immediate Consequences for Employees
While the company conducted the investigation, the staff were put on two weeks of compulsory leave. Workers who used their annual allowance before this point now had no vacation time remaining for the rest of the year. Either way, that holiday abroad you were planning may now have to include unpaid time off.
As if that wasn't enough to worry about, as the investigation continued and the end of the month drew closer, there was no clarity on whether the company would make payroll. Luckily, at the last minute, the money did land in the employee's bank accounts, although the stress of not knowing until the eleventh hour didn't get acknowledged or compensated.
Is it all over?
Finally, Acme is back in operation. The "audit" is over, but the company told everyone that if a client asks, they should stick to the fairy tale created. As it turned out, most clients did not believe that fairy tale.
The staff was also basically in the dark, being told nothing beyond that a hack had taken place during which the attacker accessed a limited amount of personal information.
Additionally, the company did not report the breach to the ICO (the UK regulator). Perhaps because it didn't meet what it judged to be the reporting threshold.
Over the next couple of months, events settled down. Work restarted, although it seems a little quieter around the office than previously; is it possible a few clients did some quiet due diligence and decided to go elsewhere? Very likely, clients are not stupid and treating them so is not a solid business move. A few staff continue to argue over their lost vacation time, but management isn't budging.
A few months later, those employees who regularly check their credit score noticed a loan had been applied for in their name but not by them. Taking a loan out without your knowledge is bad enough, but in a few extreme cases, this caused problems for people who were having mortgage applications processed at that time. As I write, affected staff are now trying to understand how they can fix this and how it happened when their employer reassured them that any loss of personal data was trivial.
And Looking Into the future…
We must remember that this is a true story, with real victims, both inside and outside the company. While the company has dealt with the immediate effects of the breach and Acme is back in operation, some clients and many staffers are unhappy.
Internal morale is very low, and some staff has resigned. Will Acme survive this setback? The likely answer is yes, but the effect on clients and particularly the loyal employees has been and continues to be negative.
I cannot predict the future repercussions, but it could involve Acme being hit with regulatory fines followed by a loss of reputation and business.
However, if effective monitoring, a robust and tested incident response plan, a forensic response service on standby, and a Data Protection Officer to assess and advise on regulatory requirements had all been in place, none of which needs to cost the Earth, I would be relaying to you a much happier tale.
The Last Word
Granted, this is an extreme case, but it's not as unusual as you might think, and the lessons which should be learnt are applicable to every organization. As I've outlined above, there are some simple steps an organization can take to avoid being caught in the same situation:
- Monitor what is happening on your infrastructure; this is relatively simple these days and activities such as account creation and privilege changes should always raise some form of notification.
- Have an incident response plan and test it; you have an evacuation plan and run occasional fire drills so why not do the same for a security incident?
- Purchase an incident response retainer; think of it like insurance but of far more value.
- Build and test resilient infrastructure; having single points of failure means nothing else works if it goes down or is unavailable.
- Take the steps needed to limit the ability for an attacker to hack into your systems in the first place; multi-factor authentication and a password policy, vulnerability management, and anti-malware.
The list goes on, but it's more important to note that none of these steps are difficult to implement or are inordinately expensive, unlike losing your clients, staff, and then your business.