July 18, 2019 | 9 min read
Why Data Breach Response Is So Slow and How It Affects You
Imagine that you have a wonderful apple garden. In summer, you find a guard to watch it. One night the apples start to disappear. The stealing goes on, but the watchman is too silly to notice it. When the shortage becomes obvious, he is scared to tell you. You discover the truth when it’s already too late: your beloved garden is empty and someone made off with your precious fruit.
Sadly, the same story often happens to the personal information of millions of people “guarded” by companies. We live in a reality of ubiquitous data breaches. And, the fact is that companies need long months to discover leaks. In contrast, it only takes hackers minutes to perform an attack and compromise data. While businesses stay unaware of leaking information, cybercriminals can casually use the consumer data to drain bank accounts, get loans, cover crimes, and get up to no good. What is worst, the abuse is compounded when companies postpone shameful confessions of their vulnerabilities.
Company breach detection timing
An uncomfortable truth has been recently revealed: on average, a company data breach stays undiscovered for a shocking 197 days—more than 6 months. Frustratingly, it takes another 69 days (over 2 months) to fix the problem.
So what’s the problem? Why can’t companies seem to notify consumers earlier?
In a company, slow breach detection happens for a number of reasons.
- The stealthy nature of hacking attacks. External attackers may abuse technical vulnerabilities or swindle access credentials from the employees. Malicious insiders have even more opportunities to do harm by using the privileges they have. In all cases, it’s hard to detect the attack until, often, it’s too late.
- Insufficient attention to corporate cybersecurity. Safety requires investments in both employees and technical tools. Businesses that understand this have prevention mechanisms and data breach response plans set up. In contrast, companies that don’t prioritize cybersecurity are likely to end up with severe incidents.
- A lack of skillful cybersecurity specialists. It takes extraordinary diligence, curiosity, and experience to keep up with all the new security threats and safety tools. But these days, there’s a huge lack of cybersecurity talent in the global market. Experienced professionals can be hard to find even if a company prioritizes security.
It seems that at least large and reputable corporations with enough resources are more likely to prevent company data theft or detect it quickly. Still, numerous cases prove the opposite—that no matter how big or financially able, a company can still be vulnerable to a breach and handle it poorly.
Here are some examples of when it took businesses a scary amount of time to notice a data breach.
Naturally, you’re thinking: “Can’t these companies get help to notice problems earlier?” The good news is that support indeed exists—and often for free. The bad news is that businesses often ignore or neglect it.
“There are literally hundreds of security researchers and teams around the world looking for exposed databases on the internet. Their main aim is to inform companies about data breaches and vulnerabilities before hackers reach this data,” Vitaliy Mechytashvili, Security Researcher at the MacKeeper Anti-Malware Lab, explains. “When researchers manage to get in touch with database owners, they face a spectrum of different reactions. Some companies are grateful and collaborative, fixing issues quickly to mitigate the consequences as soon as possible. Other data owners are suspicious and slow in reacting to the situation. Finally, there are companies that don’t care about security, ignoring messages about data exposure.”
No wonder some organizations find themselves in the center of data breach scandals.
Company breach announcement delays
After a company finally discovers an incident, it’s time to act. Data breach response steps include both fixing the technical problem and deciding how to communicate the incident to customers and respective officials.
Announcing a data breach is not just something a company does. These days, international and national laws as well as state laws within the US regulate the circumstances and deadlines for communications around data breaches. Multinational companies have to act in accordance with numerous legislative requirements. Failure to do so can mean heavy consequences.
A perfect example is the case of Uber. In 2016, the company experienced a data breach. Instead of disclosing it, Uber paid the hackers $100,000 to hide the leak. Only a year later, the breach was announced. Further investigation involving State Attorneys General across the US focused on Uber’s violation of data breach notification laws. Eventually, in the US, the company was fined $148 million. Later, separate investigations took place in the UK, the Netherlands, and France. These cost Uber additional $1.6 million in fines.
So, what are the proper timelines for breach notification according to the legislation in the US and in the EU?
In the US, many state laws contain a prescription to provide notice to residents, government representatives, and credit reporting agencies. As for the individuals, it’s often stated that notification should be made “in the most expedient time possible and without unreasonable delay.” However, a number of states go further and set specific notification timeframes of 10, 30, 45, or 60 days.
To the EU residents, General Data Protection Regulation (GDPR) rules apply. If a breach poses a risk to the rights of individuals, the company must notify a data protection authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If the risk is assessed as high, the company must also notify the affected individuals “without undue delay.”
Now, what do we have in practice? Let’s check out a few examples where it took companies months to get up the courage to announce a data breach.
To be fair, there are multiple cases of companies reacting quickly to data breaches and communicating them properly. Take British Airways, a key figure in a recent trumpeted data breach scandal. The company faced a $229 million fine under GDPR for “poor security arrangements” that led to the personal data theft of more than 500,000 customers. However, to its credit, British Airways communicated the breach to its customers in just one day.
All in all, the situation remains unsettling for all of us who hand our personal data to multiple businesses daily. Even in the best case scenario, cybercriminals always outrun even the most cautious and diligent companies. It’s still our own responsibility to protect our personal data beforehand and act properly in case of a data breach. If you're not sure how to go about keeping your personal data protected, we have all our recommendations neatly collected in a single identity theft prevention cheat sheet!