SuzanneWidup.com

A couple of months ago, I ran across a post about how Facebook did a data load from their application partners who accept payments, and how this caused them to gain access to user's Paypal login/password.  "Now Facebook has your login and password, and it is part of your profile!" the post warned.  It followed up with a good description of the steps to remedy this forced disclosure of credentials that most would want to keep private, since it is a direct line into their wallet. 

The post described how to go into your settings and disable that "feature" so that you will not have Facebook storing your login and password to Paypal.  I specifically went in to verify that my credentials were not in there, but later after making a purchase from an application (and declining their prompt to link the application to my Paypal account as I do each time), I noticed that it had been populated in my profile regardless.  I removed it, and Paypal sent me an email confirming the relationship had been severed.  I had opted out.

Today, after making another purchase, I got a bit of a shock.  After my last purchase, I again declined to link the account to this application.  Today's purchase went through without my being redirected to the Paypal site or prompting me for login or password.  I checked my settings, and sure enough, the account detail had again been populated without my consent.  I deleted the credential again from my Facebook profile. 

Then I did a quick test.  I made a purchase through the same application for the least dollar amount possible.  I was prompted for the credentials since I'd removed them from my profile.  At no time was I told that Facebook would be keeping my login and password to this site, nor was I given the option to opt out.  I went back to my account settings, and it was populated again.  The next purchase used those credentials to login and authorize the purchase without my entering a password.

I understand that that Facebook is marketing this as a convenience for their users, but I object to having my credentials to a financial site automatically stored without my consent--and in fact after opting out multiple times, the behavior is clearly a standard practice for this site.  This is an unacceptable breach of privacy--I chose not to share the credentials and the site effectively stole them.  I would not consider it a convenience to find that a compromise of my social networking account had also caused a compromise of a financial account that I did not consent to share.

One of the first classes I took in my Ph.D. program gave us a research assignment to "develop some new information security metrics".  I settled on the topic of data breaches, and decided to take a look at them from a statistical standpoint.  I looked in the academic literature, and most of the papers dealt with the cost of the breach from a standpoint of the stock value or capital markets.  I found one paper that looked at breaches betwen 2003 and 2005, which was before most of the current data breach laws had come online. 

I did a study on the problem, turned in a paper with the results (I think I had just over 1,000 incidents) and got an A.  I had been bitten by the bug--it was too late.  I kept up the study, looking for new insights to be found in the data.  I added incidents over time, and found new sources as well.  Eventually, I had a database with 2,807 incidents over the span of 5 years. 

I wanted to publish the study so that the widest possible audience could benefit from the information.  I'm happy to announce the publications of The Leaking Vault - Five Years of Data Breaches.  I hope you find the contents useful.

The worst has happened—your company has suffered a data breach.  Now what do you do?  Was the data credit cards?  Social Security numbers? Medical information?  Which laws apply?  How will your customers/stockholders/employees/patients perceive this event?  What services should you offer to help mitigate the damage?  Who in the organization should make these decisions?  These are the types of questions that should be settled ahead of the incident, not in the heat of the moment when the media is camped outside the corporate offices.

Contingency planning for a data breach event should be viewed as a subset of the organization’s Incident Response Plan.  This plan is for a specific set of circumstances that will not occur during every incident—every event will not result in the discovery of a data breach.  When it does happen, however, preparation can make all the difference in the way a company handles the events that follow.

Like an Incident Response Plan, a team should be identified to handle the event.  Members of the team should be representatives of the company’s technical and business units, including Information Security, Public Relations, Legal, and any other group that may be needed, depending on the type of data disclosed.  For instance, publicly traded companies may want to include representatives from Investor Relations in addition to those listed above. 

Once the members of the team have been identified, a plan should be put together that addresses the questions in the first paragraph of this article—the plan may change somewhat based on the type of data disclosed and the function of the organization.  Each data type should be included if the response will be different.  The representative from Legal should be able to provide an overview of the laws that apply to each instance, as well as the breach laws for all the locations the company has customers.  Keep in mind this may include both domestic and international laws, based on the locations of the customers, not the company.  This matrix of relevant laws will be very useful in an actual incident as a quick reference. 

If services (such as credit monitoring) are to be offered, the time to investigate which service provider to engage is before a breach occurs.  This way, terms of service can be negotiated when urgency is not a factor.  The plan should document the terms once they are finalized, along with any contact information required to activate the use of the service.  A contact number should be established ahead of time for those who are notified to call should they have questions (this is included in the notification letter), and a script prepared in advance (as a sample, to be populated with relevant details if it is needed) for those who will be answering the phones.  (The group that will be answering these calls should also have a representative on the team to ensure that they can provide any planned services.)  Similarly, sample notification letters can be drafted as part of the plan.  This will save time during an incident when notification is necessary, and provide a consistent framework for notification over time.

On the topic of notification—the plan should include the organizations that need to be notified as well.  In some cases, depending on the data type, this may include the credit card brands (Visa, MasterCard, etc), the company’s bank, law enforcement or government agencies.  Some cases may include the need to notify the press, so sample press releases should be drafted.   

The final step with any of these types of plans is to conduct a trial run—a test of the plan’s completeness and correctness.  Annual testing will ensure that the plan is kept up to date with changes in the law, and with the members of the team.  It will also allow the organization the opportunity to make changes that are identified during the test to make the plan stronger and more useful. 

While no organization wants to believe that they will experience a data breach event, there are examples in the press of these events occurring regularly.  With planning and preparation, the response to such an event can be handled without panic, minimizing the impact of the breach event to the organization.

For those of you who don't know, I'm the founder of a non-profit organization that is dedicated to fostering research, networking and educational opportunities for those with an interest in digital forensics.  It's been a long road to get to this point, but we are finally able to announce that the Digital Forensics Association is accepting applications for Individual Membership as well as Professional and Student Chapters. 

If you are interested, please consider getting involved with the organization.  We have a number of research projects, including establishing a Common Body of Knowledge for digital forensics, and building a Testimony Archive of court cases where digital forensics testimony was presented.  More information can be found on our website at www.digitalforensicsassociation.org. 

This is an excellent way to give back to those who have helped you along your career path, as well as to meet some amazing local practitioners and develop professional contacts in this area.  We are also soliciting companies and organizaitons that can provide internship (paid or unpaid) for those who have obtained training in digital forensics and now need to build that all-important initial experience. 

I hope to see you at a local chapter meeting soon!