What to do when breached
Surviving a data security breach
The news of being breached comes like an unexpected gut punch… delivered by a tank. While it can be quite overwhelming and scary, it must be dealt with for your business to survive.
Breaches happen every day, data is compromised around the clock all over the world, so when (not if) it happens to you or your business, you need to know what to do about it. Understand and accept the simple fact that there will be negative fallout in any breach where sensitive customer information is stolen. This negative fallout can be, at the very least, financial, reputational, legal, or any combination of the three.
Regardless of the size of your business, the amount of data that is compromised can be small and manageable just as easily as it can be massive and catastrophic. In fact, what many business owners don’t realize is that 90% of data breaches involving payment information happen with small businesses.
Large company breaches that haunt the news do not happen nearly as often as breaches of small and medium sized businesses who have fewer resources available to defend themselves with.
The average out-of-pocket cost of a data breach for small businesses (in 2014) was $36,000 and can easily reach or exceed $50,000.
How do I even start dealing with this?!
There are two main components of every breach investigation, 'containment' and 'remediation'. First and foremost, containment is key, STOP THE BLEEDING! For the purposes of containment, there are two main areas that need to be looked at; your computer network/payments acceptance solution, and your staff (ALL of your staff, regardless of their position/title).
Let’s start with the network and equipment tied to your payments acceptance method, as this is in most cases easier to immediately control. Any computers, network equipment such as routers and modems, terminals, or other equipment that accesses, stores, transmits, or otherwise uses sensitive customer information should be immediately disconnected from the internet and/or your network. It is vitally important that you DO NOT turn off or power down any terminals, network equipment, or computers, just disconnect them from the internet or network. Powering down/off equipment in most cases can destroy digital forensic evidence that you might need to resolve the current breach and to protect your business from future attacks.
Some of the ways that your business could be compromised via the internet are (but not limited to):
- A direct hack of your internal network
- You and/or your company’s use of default logins and/or passwords for any system or network component
- Malware or viruses from email or infected websites
- A breach of a vendor/supplier/service provider that has remote access to your network
- (for online merchants), a breach of your online shopping cart website or web hosting provider
OK, my network is contained, what’s the next step?
Once you have disconnected every part of your business and network that handles sensitive customer information from the internet, start looking for other ways your customers' information could have made it out into the wild. We never want to think that an employee or business associate may have been involved, but you should never underestimate the human element. It could have been an accidental, careless, or even a deliberate act carried out by one or more people.
There are a number of ways your own staff could be responsible, intentionally or not, such as (but not limited to):
- Disclosing information regarding your merchant processing account with unauthorized people or companies
- Failure to follow security guidelines, policies, and procedures for handling sensitive information
- 'Skimming' or otherwise stealing payment card account information by recording it or writing it down for later fraudulent use
Finding the source of the leak so it can be stopped is a major step in the investigation process, but so is accurately determining what information was compromised and how long the leak went on for. Performing an 'impact analysis' to determine the full scope of the compromise should start either at the same time as containment efforts or immediately afterwards.
So, what did they get?
Whether you were hacked or someone was 'skimming' customer information to later use fraudulently, it is important to determine how much and what kind of information was compromised. Was it only payment card account numbers or were other things stolen too. Look for unauthorized access of information such as security code numbers (CVV/CVV2/CID/PIN), card expiration dates, cardholder names, customer contact information (home address, phone numbers, email addresses, social security numbers, etc.).
Whatever you find, don’t hide it! You will not be the only one investigating: what you found will in all likelihood be found by someone else too. Attempting to hide evidence will only project a public and professional image of dishonesty that will negatively impact both the investigation, and your customer’s trust.
How long was this going on?
Most of the time when a breach is reported to you, an 'exposure timeframe' will be included in the notification, however, it is extremely important to understand that this is a timeframe based on limited information. Very often it is discovered that a breach went on for far longer than the exposure timeframe first identified by banks and the credit card companies.
OK, I found and stopped the leak and figured out what information was stolen, now what?
Once you have identified how you were breached, what information was stolen, and how long this had been going on, there are a number of next steps you must take.
1. Preserve Evidence
Earlier we said to disconnect but not to power down/off any equipment on your network to ensure digital evidence is preserved until the cause or source of the compromise is determined. To make sure you do not destroy evidence that may be necessary to help you investigate details about what was breached how and what was stolen:
- Do not access, update, or alter compromised system(s) (e.g., do not log on to the compromised system(s) and change passwords; do not log in with administrative credentials).
- Do not turn off, restart, or reboot the compromised system(s). Instead, isolate the compromised systems(s) from the rest of the network by unplugging the network cable(s) or disabling Wi-Fi and Bluetooth connections.
- Identify and document all suspected compromised components (e.g. PCs, servers, terminals, logs, security events, databases, PED overlay’s etc.).
- Document all containment and remediation actions taken, including dates/times (preferably in UTC), individuals involved, and detailed actions performed.
- Preserve all evidence and logs (e.g. original evidence such as forensic image of systems and malware, security events, CCTV/security camera recordings, web logs, database logs, firewall logs, etc.).
2. Execute Your Notification Plan
Immediately notify all relevant parties of the compromise, including your:
- Internal incident response team and information security group
- Merchant bank (also known as your acquirer or acquiring bank)
- Merchant Services Provider
- Third party service providers such as web hosting providers and Point of Sale vendors you use
- Manufacturer of the impacted payment device if you have determined that the incident involves the compromise of a PIN Entry Device (PED), specifically if it is a PCI PTS-approved device.
- Legal department (or counsel) to determine if laws mandating customer notification are applicable. It is strongly recommended that you also immediately notify:
- The appropriate 'local' law enforcement agency in the event of an account data compromise.
- Federal law enforcement if the compromise is in the United States. The United States Secret Service Electronic Crimes Task Forces (ECTF) focuses on investigating financial crimes and can assist with incident response and mitigation of an account data compromise. Visit www.secretservice.gov/investigation for ECTF field office contact information.
3. Perform a Forensic Investigation (when required)
One or more of the credit card companies may require you to engage a Payment Card Industry Forensic Investigator (PFI) to perform an independent investigation. These investigations are sometimes referred to as a ‘PFI audit’. If you are informed that a forensic investigation of your network and equipment is required, the following timeline must be followed:
- Engage a PFI (or sign a contract) within five (5) business days
- Provide the initial forensic (i.e. preliminary) report within ten (10) business days from when the PFI is engaged (or the contract is signed)
- Provide a final forensic report within ten (10) business days of completion of the review
Note: The PFI cannot be an organization that is affiliated with you or your business or that has provided services to the you or your business in the past, such as: previous PFI investigations, Qualified Security Assessor (QSA), advisor, consultant, monitoring or network security support, etc.
The credit card companies will not accept forensic reports from non-approved PFI forensic organizations. PFIs are required to provide forensic reports and investigative findings directly to the credit card companies.
A list of approved PFI organizations is available at:
www.pcisecuritystandards.org/assessors_and_solutions/pci_forensic_investigators
Will this investigation ever end?!
Yes, if you have made it this far, you are in the home stretch. To briefly recap, by now you should have been able to contain, identify the source of, and remediate the compromise; taking detailed notes along the way of what you have done and when. What is left to do is clearly and properly documenting all of the containment and remediation steps along with any findings and validating PCI DSS compliance for your business.
myPCI.com will provide your business with forms to document containment and remediation efforts you have undertaken and completed. These forms are provided in the email notification sent to you at the start of the investigation.
PCI DSS compliance validation can be accomplished via our PCI program (operated by a third party Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), Security Metrics). You may also use the services of another PCI DSS QSA and ASV if you do not participate in myPCI.com’s PCI program. The Card Brands require all PCI DSS compliance validation documents, including network scanning reports when required, to be signed and dated by the controlling principal or other authorized officer or staff. To ensure this is handled quickly and efficiently, myPCI.com will send copies of all PCI validation documents back to you via DocuSign. Simply click on the link in the DocuSign email you receive and follow the signing instructions, the signed documents are automatically available to us to collect and provide to the investigating Card Brands.