Assessing Data Breach Severity: Third-Party Incident Exposes Credit Card Data

Read the first two articles in this series: Hurricane Data Breach: Assessing Severity in the Eye of the Storm and Assessing Data Breach Severity: Employee Downloading Malware

Most businesses recognize the value of consumer trust and work hard to protect sensitive customer information from the threats of data breach. But once that data is in the hands of vendors, business associates, and other third parties—who often lack the proper security controls—protecting both data and trust becomes a much harder task.

In fact, 69 percent of IT professionals in the 2016 Vendor Vulnerability Index by Bomgar said they have definitely or possibly had a security breach caused by vendor access in the last year. If one of your vendors experienced a data breach involving your customers’ or patients’ data, would you know how to respond?

The Three Degrees of Breach Severity

In the first article in this series, I discussed how assessing the severity of a potential data breach can help you and your data breach partner plan a response that best meets the needs of your organization and affected individuals. Data breach severity can be categorized into one of three categories: low, medium, and high. (Please note that this classification refers to confirmed breaches that require notification under the law, and is not an analysis for determining if an incident is a reportable breach.)

The following elements of a breach are the basis of a breach severity assessment:

• The type of data breached
• The cause of the incident
• The nature of the breached population

The Assessment

Using the three criteria, we can assess the severity of a third-party breach at a hypothetical retailer. In this scenario, the merchant’s payment processor suffered a breach that exposed the names and credit card numbers of hundreds of thousands of customers.

• The type of data breached: Names and credit card numbers are considered personally identifiable information (PII) and are thus subject to data breach notification—and PCI— regulations. While credit cards are quickly and easily replaced, the chance for financial identity theft still exists. Thus, this element could be classified as medium.
• The cause of the incident: A security glitch at the payment processor left the data temporarily exposed on an external site. The lack of criminal intent, and the fact that there is no evidence of unauthorized access or misuse, would classify this element as low.
• The nature of the breached population: Affected individuals are the retailer’s customers, and might include unique populations such as the elderly and non-English speakers. The retailer, a well-known regional name and chain, has a loyal customer base, and the breach was heavily reported in local news outlets. Given the importance of brand loyalty and the retailer’s reputation, this element would be classified as high.

Overall Level of Severity: One high, one medium, and one low category would classify the overall severity of this breach as medium.

Mapping Out a Response

The retailer’s response would include the following:

Notification: Financial data is regulated and requires notification according to various federal and state breach notification laws. The retailer may also consider email and social media communications in addition to the formal notification letters. All communications should direct the customers on the proper preventive measures to be taken, namely to call their bank or card issuer and alert them of the incident. They also may choose to cancel the card to prevent criminals from perpetuating financial or other forms of fraud.

Call center/website: Affected individuals will want a place to call for questions and/or to enroll in identity protection services. Despite the relatively close relationship between retailer and customer, the incident was not malicious and the risk of the data being misused is low; thus, call rates will be also low. The fact that customers were encouraged to cancel their cards to prevent fraud will also mean less call volume at the call center. The retailer could safely assume between 3%-7% of the population might attempt to call them.

Identity protection: This should be based on the type of data that was breached as well as whose data was affected. For financial information such as credit card numbers, credit monitoring will not provide sufficient protection against fraud. Since the stolen cards are already on the victim’s credit report, their use will not trigger an alert.

Dark Web monitoring would be more useful. This type of monitoring scans for the online buying, selling, or trading of the card number—an occurrence in more than 50 percent of breaches where a card is misused. In addition, the retailer may consider offering reimbursement insurance and fully-managed recovery for breach victims whose cards are misused. Enrollment rates will likely be lower than normal, and will mirror call center rates.

Remediation: The retailer should ensure its payment processor has updated security controls to prevent or mitigate future incidents. Conversely, the retailer may consider routine security audits of its vendors or switching payment processors entirely.

Your Data, Their Security

Putting sensitive data in the hands of third parties is an acceptable cost of doing business. However, vendors can be especially vulnerable to breaches, and your customers will look to you—not to your service provider—for help and answers when their information is exposed.

But preparing now for the inevitable will protect you and your customers against breach risks, no matter who’s at fault. This means ensuring vendor agreements are current and in place, performing vendor risk assessments, and establishing internal processes for managing vendor relationships. With the proper controls in place, you can face your consumers with confidence, knowing you have earned both their trust and goodwill.

Stay tuned for our last article in this series, when we assess the breach severity of a ransomware attack on a hospital.