“Subject: Cyber Security Incident
Dear Customer,
I wanted to write to you personally in regards to a recent cyber security incident…”
It’s not the best email to receive from a company you’d previously trusted with your personal and financial details. This, however, was the email that EasyJet customers received last May when the company announced a breach that affected over 9 million customers (including the credit card details of over 2,000 of those customers).
As our Head of Engineering, Paulo Ferreira,
recently discussed, data breach notifications are often riddled with obfuscation, which is to miss an opportunity, because they can be a pivotal moment in re-establishing trust between companies who have suffered a breach, and the customers whose data is affected. If handled well, that is.
Firstly, we're communicating digitally in our day-to-day processes rather than meeting in-person in our offices. This means we're used to receiving emails, WhatsApps, texts and other messages from our co-workers, bosses, and clients throughout the day, and these aren't as unusual as they once were. And because we're relying on these media more often, our use of them has become much more casual.
Well-managed communications around a data breach are, first and foremost timely. Given customers were informed about the EasyJet breach in May 2020, one might expect that the breach had occurred that month, in the days before they received the news. Sadly not.
“Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020...”
A gap of nearly 5 months until the incident was resolved (and 7 months until customers were notified) doesn’t help in restoring clarity and trust. Customers may well question exactly how seriously cyber security is taken by an organisation that is so slow to resolve incidents. They also (and possibly more seriously) may question how much customer security is respected by an organisation when there are further delays before notifying affected customers. If they conclude that neither is being treated sufficiently seriously, they may well choose to take their custom elsewhere.
Unfortunately, this kind of delay is not unique or even uncommon. In the case of the Marriott hotel group, it took
4 years before a data breach was even noticed.
This is the stuff of nightmares for CEOs. Data breaches, especially with delays in discovery and response, affect all parts of a business. Obviously, information/technology teams are tasked with investigating and fixing the breach itself. But all departments and executives will have a role: there are regulatory implications to navigate; customer communications and relations to maintain; financial obligations from fines and compensation to meet; and all of this will require co-ordination.
This company-wide response is particularly necessary now that data breaches and their implications have entered the public consciousness. With GDPR requiring businesses to report data breaches, what would previously have been a hidden, niche issue is now mainstream. This means that customers are much more aware of, concerned about, and invested in, their data security. Companies’ conduct before, during and after data breaches is inevitably more scrutinised.
Accordingly, social and reputational standards around how to disclose the news of a data breach have emerged in the public imagination. As Paulo mentioned in his discussion of notification communications, these standards include timeliness, honesty and transparency with customers over the exact nature and extent of the cyber incident. Even if a company is sharing details of a minor breach, by delaying, trivialising or obfuscating details of the incident, they will engender far more distrust and ill-will than more transparent peers – even if the breaches those peers suffer are more severe.
This honesty and sincerity also requires companies to credibly commit to minimising the impact and likelihood of these incidents for their customers in future. This means firstly supporting affected customers with advice and resources to help them secure and monitor their data. It also means redoubling your cybersecurity efforts: investigating the breach itself to confirm that it has been resolved; reviewing other avenues for breaches (especially if any new types of vulnerabilities have been highlighted by this breach); and ensuring key data is encrypted, separated and only available to necessary services.
Finally, and most importantly, showing that your business has taken its cyber risks seriously before any breach occurs – and have taken good-faith efforts to minimise the risk you and your customers face – is the most effective way to reduce the likelihood of any breach, and the severity and impact if one does occur. Instituting data-handling processes will limit the opportunity for accidental exposure of customer information. While seemingly simple, these will eliminate many common causes of data leaks which are all too easy to commit, such as including all customer email addresses in the “To” field; inadvertently setting documents to be publicly accessible; or unintentionally disclosing information that should have remained confidential. Regular penetration tests will highlight vulnerabilities that could risk exposing customer data. KYND’s continuous monitoring service, KYND ON, will also give you the reassurance that your infrastructure is being checked, and you will be alerted to any issues as soon as they are present – rather than when they are exploited.
Part of this monitoring can also support your ability to promptly detect, remediate and notify your customers of any data breaches as soon as they occur. With KYND’s data breach monitoring service, we will create unique “customers'' who you can onboard into your data, however you store it – be it database, CRM, mailing list, or spreadsheet. KYND then monitors those customers for activity, so that the moment any suspicious activity occurs, in whatever form, KYND will notify you immediately. And because you can place different KYND monitors in each of the different places you store your data, KYND can help pinpoint exactly where the breach has occurred, allowing you to rapidly respond to fix the issue, notify your customers and minimise the impact. That means you won’t be repeating EasyJet and Marriott’s mistakes.
There’s no perfect guarantee against a data breach. But you can greatly minimise the risk by taking steps to secure data and monitor your infrastructure. And should the worst happen, KYND’s data breach monitors will alert you straight away, enabling you to be timely, honest and transparent with your customers. That means vital protection for your customer base as well as your business. If you’re interested in any of these ways in which KYND can support you in protecting your business and customer data,
get in touch and we’ll be more than happy to help.