Your Company's Response To A Data Leak Can Make All The Difference

There is no such thing as a good user-data leak, but the way a company responds when their network security is breached can set the tone for the public perception of the incident.

Security breaches are a constant risk, but even non-technical consumers can tell the difference between a company that cares about security and has prepared and a company that simply wants to limit the damage to its bottom line.

A “Dumpster Fire” Breach Response

The recent massive leak of sensitive data from credit-checking agency Equifax is likely to become a textbook example of what not to do. The breach was known about for a month before it was publicly disclosed, putting consumers at risk of identity theft. Executives at the company started selling stock before public disclosure. The breach was caused by an easily avoidable vulnerability.

Communication with the public was appalling. The response to the incident included credit monitoring services, but a clause in the terms and conditions seemed to include a waiver for participation in any class action suit related to the breach.

The impression given was of a company that simply didn’t care about consumers and was only interested in protecting its executives and revenue. Equifax had made minimal preparation for managing a security breach. As a result, the media took a hard line and it’s difficult to believe that Equifax will be trusted in the future.

A Great Breach Response

Disqus is a commenting platform used on tens of thousands of sites around the world. If you regularly comment on blogs and news publications, you probably have a Disqus account. In October, there was a security breach that caused the leak of a Disqus database including usernames and hashed passwords.

Although nothing like as serious as the Equifax leak, this was a significant breach of user trust and could have had a devastating impact on the brand’s reputation. But Disqus’s response was the polar opposite of what happened with Equifax.

The vulnerability was reported to Disqus by a security researcher. The same day, the company contacted affected users and reset their passwords. Within 24 hours, the leak was publicly disclosed in a detailed blog post that revealed who was affected, how the breach happened, and what the company had done about it.

Disqus was prepared for security incidents and understood how to react. No one was happy that their data had been leaked, but the tone of the response by consumers and in the media was different. Users were angry, of course, but not to the same degree as Equifax’s victims.

Security professionals are holding Disqus’s response up as an example of how companies should respond to security incidents. Disqus leaked private and sensitive data, and they’re being praised for their response rather than denounced for the leak.

Learning From The Misfortune Of Others

Anyone who stores sensitive user data should study the Equifax and Disqus breaches and the responses of the companies involved. Lessons to be learned include:

• Plan for security breaches — a fast response is vital.
• Disclose early — let the affected people know what’s happening and what you’re doing about it.
• Fix it quick — the public don’t care about a business’ cost-benefit analysis that balances the cost of making a fix to the cost of ignoring it for a while. Think hard about the damage to the brand’s reputation if you don’t do the right thing and do it quickly.

Preventing data leaks is the priority, but if it happens, the way your company manages the incident can make a big difference.