“We’re writing to inform you of a security incident…”
A while ago a client got an email informing them that their hosting company had suffered a data breach. My client wasn’t sure what to do and asked for advice.
Here’s what I told them:
1. Follow the breached company’s advice
The company that was breached may not know everything about what happened yet (in fact, almost certainly won’t), but they’ll have more information that anyone else. They will have an idea of what data might have been accessed and will have thought about what the risks could be. They will give you advice based on their assessment, so do what they advise as soon as you possibly can.
2. …even if you/they don’t think you were affected
Companies will usually tell all customers about a breach, so you’ll probably get an email even if they don’t think your data is affected. But whether or not they think you’re at risk, the security advice will usually be pretty simple, so – unless it’s going to unnecessarily alarm your clients/customers – why not be over-cautious and behave as if you were affected, just in case?
It’s a good idea to update passwords regularly anyway (though how many of us actually do?) so use this as a reminder to update yours. Or if they advise adding Two-factor authentication, that’s always going to be a good idea, so do that too.
3. Act quickly
If you’re advised to take action, do so as soon as you possibly can, before other things get in the way… or you forget!
The hackers may have a head start but you can reduce the risk by acting to stop them, so do whatever you can, as soon as you can.
4. Think about knock-on effects
Think about what else might be impacted – is it possible that the stolen data could have given hackers access to other passwords or systems?
For example if your email is compromised, a hacker could reset other passwords using that email address, so keep an eye out for unexpected password reset emails. Could the stolen data include access details for anything else – a website? your bank? Take action to secure those systems too.
In particular, if you’ve used the same (or similar) passwords elsewhere, make sure you change those too. (And please, in future, don’t use shared passwords – use a password keeper like KeePass or LastPast).
5. Be wary of calls from ‘the company’
Scammers may use the data breach to contact you, pretending to be from the breached company, on the pretext of ‘keeping you safe’. Be wary of anyone calling or emailing claiming to be from the company that was breached, in particular if they ask you to do things you wouldn’t normally do.
If you get a call, hang up and call the company yourself (ideally using a different phone) using a number you know is correct.
And of course, don’t click on links in emails or text messages that you’re not sure about – go direct to the website and follow links there.
It’s also a good idea to check the sender’s email address carefully – it’s easy for scammers to use zero instead of O, or 1 instead of L in order to make an email address look genuine when it isn’t. Also check the ‘reply to’ address to make sure it matches the displayed address.
6. Tell your customers (if you need to) quickly
It’s not always necessary to tell your customers about a data breach. If it only affects your data, then no need to worry them. However, if it affects, or might affect, their data, then you probably should. You may not have all the details yet, but don’t wait – acting quickly is the most important thing. Don’t overload them with detail, just tell them what happened and what it might mean for them, to the best of your knowledge.
7. Review your processes
Obviously you can review your data storage and processes at any time (the sooner, the better), but a breach is a very effective reminder! Use it to your advantage – get the whole team thinking about what risks there could be. Then, if possible, act to reduce those risks.
8. Don’t panic
Above all, don’t panic! It won’t help and if you’re flustered you’re more likely to make bad decisions. Anyone can get hacked or have data stolen – even the Pentagon – so don’t blame yourself. Taking action to mitigate any damage is the best thing you can do.
Do you have any more tips for dealing with a data breach? Let me know.