Managing Data-Breach Crises

It's almost impossible for your organization to operate without collecting or holding electronic personally identifiable information (PII), which requires you to protect against data breaches. If you don't, your organization will lose not just its reputation but possibly millions of dollars in damages and victims' class-action lawsuits.

However, despite your best prevention efforts you must still be prepared to investigate a possible data breach.

The European Union directive 95/46/EC describes PII - or "personal data," as the EU calls it - to be "any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." PII includes full names, Social Security numbers, birth dates, addresses, credit card numbers, or any other descriptive information.

At the end of 2007, 39 U.S. state legislatures had introduced breach notification bills that regulate the responsibilities of companies that are data-breach victims. Other countries, including Canada and New Zealand, have enacted data-breach laws. The laws differ but all require organizations, under civil penalty and/or fines, to notify individuals that their personal information has been exposed through a data breach.

DATA-BREACH SOURCES 

In the pre-Internet world, mainframe computers ruled the world so employees - insiders - were the prime data-breach perpetrators. But with e-commerce's advent, data breaches originating from outside organizations are more prevalent. (However, insider actions still generally yield much larger breaches than outsider activities, according to Verizon's 2008 Data Breach Investigation Report.)

Criminals don't always cause breaches; careless employees can lose or misplace backup tapes, hard drives, and other electronic media. The data might not end up in the wrong hands, but breaches must still be reported. The incidents can tarnish corporate images as much as criminal breaches even if the information wasn't used for fraudulent purposes.

IDENTITY THEFT 

After a successful breach, the perpetrators look for an outlet in which to convert the stolen PII into some form of currency. If the thieves don't use the information themselves, they often sell or trade the information on underground economy servers (That will be the topic of my next column.) A full identity can fetch up to $15 and bank accounts cost from $10 to $1,000, according to Symantec's April 2008 Global Internet Security Threat Report.

MANAGING THE CRISIS 

Managing the crisis surrounding a data breach encompasses elements of incident response, computer forensics, and fraud examination. An organization must first understand the breach's extent to determine exactly the information that has been affected so it can meet notification requirements mandated by legislation. You'll have to conduct an in-depth review, but be careful not to spoil any evidence when containing the breach so you won't compromise the investigation and be able to avoid litigation

You'll need to establish the following when identifying the extent of the breach:

• Determine the exact elements of PII that have been breached and its sensitivity. Determine how the information could be used and in what context.
• Identify who's affected and determine their relationships to the organization. Try to discover the original location of the stolen information. Find evidence that can lead to the perpetrators and discern when they might have stolen the data.
• Determine where the stolen information was stored, and how, when, and by whom the systems and data were accessed. When you do this, you also should be able to determine the ways in which the perpetrators handled and extracted the stolen information and the likely number of original recipients. 
• Determine if the information was lost or stolen. If it was stolen, discover the circumstances to find out if the thieves actively targeted the data or if it was incidental to the theft of electronic media.

By the time you discover a data breach, you might find that the thieves had struck months earlier. Your computer forensic examiner might have to go back in time to establish facts about the breach and examine the victim systems and these logs:

• Application logs can store information about user activity and the ways an application reacts to various events such as queries or failed log-ins, among other behaviors, which could tie specific actions to a time and possibly a user. It could also identify several anomalies such as intrusion attempts. 
• Database transaction logs can store such user-activity information as timestamps, usernames, and the success or failure of an action. 
• Firewall logs can store information about network communications because they protect the perimeter of a network. The forensic examiner can identify timestamps, types of communication, and systems used. 
• Intrusion detection and prevention systems logs contain and sometimes block anomalous network events. The forensic examiner can examine the logs to identify a breach and failed attempts. 
• Network flow logs contain network communication data including the size of the exchanged information. The forensic examiner can use this information to identify anomalous communication patterns.

IT must religiously maintain accurate logs so the forensic examiner can use the data to establish a timeline of the investigated events and determine where specific information was stored. The logs have to record successful and failed actions so you'll have a complete, accurate portrait.

WORKING WITH THE EXPERTS 

Complex data breaches require more than a cursory review of electronic evidence. Use the technical and investigative skills of your organization's forensic examiner to get to the bottom of the incident.

In the next column, we'll take a closer look at underground economies and how they operate.

Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.