Data Breaches – It’s not if. It’s when!

Written on September 13, 2022. 10 days later, Optus.

Some years ago, I was purchasing a new road bike, all carbon fibre and unobtainium. The bike shop owner also talked me into a new helmet. His sales pitch was “you’ll need this for when, not if, you come off.” He was not wrong. I did, eventually, come off. Big time. Bruised ego, road rash, broken ribs, but a fully intact head. Which is more than I can say for the seriously cracked helmet.

In a world where everyone is collecting data on everyone else – even the taco sellers want you to order, and pay, via their App – it really is a case of when data security is breached, not if.

The pandemic and the ubiquity of the QR code has resulted in a flood of service providers driving customers online and onto Apps to execute transactions, most of which require input of personal and credit card details. What could possibly go wrong?

The answer is, quite a lot. In many cases the collected data is stored, and payment processed, by third parties. Another link in a chain of custody of sensitive information.

Are you certain that the data you are collecting, or that is being collected on your behalf, is secure? Other than general reassurances about security protocols and systems in place (most of which is indecipherable technical jargon) what tangible security measures are in place, particularly at the weakest points, being where your staff or contractors physically enter or access data?

Of the last four crisis management tasks we have been asked to assist with, three have been data breaches.

Managing a data breach is a complex task. Not only do the data security experts need to track down and plug the leak but a wide range of stakeholders, from customers to regulatory authorities to business partners and the media, all need to be sensitively communicated with and reassured that matters are (hopefully) in hand.

That requires a set of skills that are not usually held by day-to-day operating staff. Taking two important steps will help in navigating the challenges presented.

 First, assume it will happen to you and develop and rehearse a crisis management plan.

• Second, immediately you become aware of a potential breach, call in your crisis team, made up of key internal and critical external technical, communication and legal support, to work on responses and reputational protection.

The damage that can be done to corporate reputation by slow and inadequate response can be fatal. Even if the breach originated due to a failure within your organisation, if you move quickly, decisively and appropriately, you stand a good chance of minimising the damage, to you and to your customers.

In an interconnected world  where online security is continually being tested by bad actors, everyone understands that challenges may arise. It is how you respond that will determine whether you retain or lose trust.

The best way to ensure you respond effectively is to be prepared. Get a data breach crisis plan together, engage the necessary external support and rehearse.

When it does happen, move quickly to bring that team to the multifaceted task of fixing the breach, communicating with stakeholders and interested parties and rebuilding the trust that every business relies on.

RMK+Associates has long experience in preparing for and managing corporate crises, including numerous data breach incidents. We have long-standing partnerships with data security experts, we have comprehensive stakeholder management skills, and we can work closely with clients’ legal counsel to prepare for and respond to serious data breach events.

Are you ready?

Just in case you think we may be overstating the risk, here are only a few examples of recent cases that have created chaos:

Optus

Huge data breach. Up to 10 million customers impacted. Optus first suggests customers should use the My Optus App to find out what is going on. Massive fail!  CEO comes out next day with an almost tearful apology and promises of further restorative action, but still can’t specify what happened or how they will fix it.

Uber

Hacker gains access to all internal system through phishing attack. All Uber email systems and team online tools shut down for an extend period.

A 2016 attack stole the details of 57 million driver and rider accounts. Uber paid $US100,000 ransom to have the copies deleted and kept the breach secret for over a year. Uber’s then security chief charged with failure to disclose the breach to regulators and is currently on trial.

APT Travel Group

Attack takes down all booking systems and compromises data. Company refuses to confirm that it paid a seven-figure ransom to unlock its systems and recover data.

DoorDash

Phishing attack exposes customer data including partial payment details. Company has to cut off access to some third-party vendors and re-engineer its security protocols

International Committee of The Red Cross

Hackers gain access to personal data of more than 510,000 people worldwide. ICRC did not detect the breach for 70 days. Impacted servers taken offline for an extended period. Compromised data not recovered.

Toll Group

Suffers two attacks in one year, shutting down various elements of their online customer services and compromising customer data. Attackers demand a ransom, Toll refuses, endures weeks of disruption.

Sorry, not sorry

You will be accountable, but we won’t.

By Alexander Corne

Accountability almost appears to have become a dirty word in both government and within the ballooning public servant ranks.

Witness that in Victoria, triggering a death toll three times that of the road toll doesn’t stimulate real apology, or even an acceptance of responsibility, by anyone.

Yet, we, the citizens, are constantly bombarded by ‘public safety’ messages from government, reminding us of our ‘responsibilities and the fact that we need to be constantly monitored to ensure compliance with many and various rules. Funnily enough, no such campaigns trumpet the need for political accountability.

Catching you before someone gets hurt,” the TAC billboard sternly threatens.

Seriously, how mind-bogglingly arrogant are these desk-driving wonks?

And why is the focus solely on road-related deaths?

Are the police and heroic emergency services personnel not also sick of scraping suicide victims off the roadway, or attending yet another distressing domestic violence scene.

Funny how you never see billboards accusing the populace in general of being inherently suicidal or intrinsically natured to beat the living daylights out of their family members. Although, in the latter case, some of the ‘public awareness’ campaigns have got perilously close to demonising all members of one gender.

Of course, it may have something to do with the measurability and predictability of vehicle-related offending.

Some bright spark created a notional maximum speed for each stretch of road and another sparkie ordered a speed measuring device, and, given that you need a driving license and are allowed a randomly determined 12 points leeway before being drummed off the road, it’s quite simple and profitable to allocate points and issue fines to those breaking the road rules.

It’s not so simple with more complex areas of personal and public behaviour.

For example, thus far, the protectors of the public haven’t tumbled to the concept of modifying the marriage license for regular Joes and Jolenes so that it comes with a built-in demerit system. But just imagine if they did …

Say you get another 12 points system. A few bitchy words in the morning would be worth a single demerit point and $50 fine. A slap is three points and $150, and so forth, right up to injury occasioning death being 12 points with an immediate loss of license and, deservedly, an extremely lengthy term of imprisonment.

This is not meant in any way to trivialise the scourge of domestic violence, which is abhorrent in all its forms, but to illustrate how problematic it is to apply broad brush, penalty driven ‘solutions’ to serious community issues.  The frightening bit is that in 2021, with the increase of data gathering and routine surveillance, it would not require too much of an extension of government intrusion into daily life to make such a ludicrous proposition a reality.

Remember the CovidSafe App? No. Me neither, but there’s already a SmartSafe+ app that helps victims of domestic violence, so with a bit of tweaking and integration with a smart watch…

Such punitive approaches are far easier to sell to the masses than the much more difficult and longer-term educational, and structural issues that need to be dealt with. After all, if you’re not doing anything wrong, you have nothing to fear. Right?

So, we citizens are expected to be responsible and held to account, even continually monitored, for fear we let our base nature loose.

Imagine if the populace were to hold politicians to a similar level of account?

When you arise to the lofty levels of government, perhaps you deserve a license along with a 12-point demerit system? Inappropriate contact with interns is worth a single demerit point and a reduction in your re-election budget, an on-going office affair earns three points, while actual sexual assault gets you six to 12 demerit points.

Naturally, being merely accused of some heinous sexual activity, many decades before, while a teenage pratt and under the influence of alcohol, is a 12-point hanging offence, leading immediately to a lifetime ban from civil society.

And if so, what of ‘forgetting’ or being ‘not aware’ of vital information that leads to catastrophic outcomes. What punishment awaits those who can’t recall who instituted policies that lead to the death of 800 innocents?

Oh yeah, that’s pointless.

Because the deaths of 800 persons, in one state, in the course of one year, three to four times the State’s road toll, is not worthy of any state government action. No TV campaigns. No billboards. No demerit points. No accountability required at all.

Funny that. Not.

Business does not enjoy such immunity. Have a quick look at Victoria’s new Industrial Manslaughter laws, which, as it happens, came into force on 1 July 2020 (timing is everything).

Perhaps if politicians applied the same standard they expect of businesses to themselves we might see a return to a greater sense of accountability of our ruling classes and, dare I say, see them leading by example. Maybe that could reduce the need for the constant behavioural lecturing of the populace? One should not hold one’s breath.

From a business standpoint the responsibility is all yours. What’s more, given the level of formal and informal monitoring of everything your business says and does, you had better believe you will be held accountable.  Being seen to be responsible and accountable is now an essential part of sustaining any business of even moderate size. Our political masters may shirk that responsibility, for now, but business can ill afford to.

RMK+A is experienced in developing and implementing actions that assist businesses in communicating their responsibility and accountability processes to key stakeholders and in managing issues emerging from events for which businesses may be held accountable.

An Impossible Standard to Meet – or – Nobody Expects The Spanish Inquisition

By John Kananghinis

OK, fair cop. I did it.

Forty some years ago I may have broken some road rules and possibly even made an occasional comment that would, today, be considered sexist. I may even have said that something one of my fellow teenagers said, or did, was ‘totally gay, dude’.

Lucky for me there was no Twitter, or Faceplant or whatever the latest online platform for the terminally immature and narcissistic is. No mobile phones, not even faxes. There was Telex (if you remember that, you too are old) but it wasn’t really anything one could consider social media. The only social media we had was the pen and paper, and perhaps the school magazine.

So, I probably did it, but there is no record. Therefore, all good.

Not so fast. Someone else, who never liked me all that much, remembers me doing it (whatever it was) and they even have a journal, purportedly from that far distant time, that, for some unknown reason, they have kept and have conveniently just found. Coincidently, just as I’m about to announce that I would like to be the Victorian Opposition leader – well, someone has to do it.

That’s the end of that, then. No public life for me. Far to compromised and clearly of poor character. Afterall, under 18s should always be held accountable for their actions in later life. They should be perfectly aware that what they do, or say, as adolescents, will determine the course of their lives and their suitability for any position, let alone high political office, forever.

Clearly that is a ridiculous proposition. Or is it?

Forget the ongoing issues in this country, character assassination based on the behaviour of children has surely reached its apogee when the newly appointed editor of Teen Vogue, a 27-year-old black woman, is drummed out of her position on the basis of allegedly homophobic and racist slurs she Tweeted when all of 17. Oh, and also because she turned up to a teen fancy-dress party in a Native American consume.

Despite, 3 years ago, having apologised for the (rather mild) comments, the staff of Teen Vogue and two of its advertisers could not stomach the thought of working with this racist white supremacist, no, wait, she’s black, remember?

Anyway, she’s toast, on the scrap heap, far too much for the snowflakes to bear.

With biblical teaching no longer in vouge (sorry could not help that one) it’s no surprise that certain basic rules conveyed by such writings no longer apply, such as ‘Let anyone among you who is without sin be the first to throw a stone…’

I feel for the youth of today. They have no private space in which to grow up. To make mistakes, learn from them and mature. If current trends continue, they will be paying for their obsession with online existence for the rest of their lives.  Can we cut the kids some slack and, for God’s sake, take the damn phones off them, for a while?

As they say in the classics, good luck with that.

RMK+A, sadly, has experience in addressing issues raised by employee’s past and present use of social media and can assist in navigating such perilous waters.