Corporate Responses to Data Breaches: A Case Study Analysis
In an era plagued by incessant data breaches and cyber intrusions, a disheartening observation emerges: companies frequently eschew apologies.
Even amidst the turmoil faced by customers, partners, and employees grappling with the potential exposure of their personal data by nefarious hackers, affected organizations often recoil from articulating what appears to be the most challenging word: sorry.
Instead, compromised firms may resort to evasion, employing phrases like “out of an abundance of caution” and “we take your security seriously.”
However, an admission of error—an acknowledgment of wrongdoing—is rarely forthcoming. It seems that legal counsel advising them to “admit nothing,” fearing class action repercussions, has triumphed over the imperative to foster trust among clients, partners, and staff.
Regrettably, each hour spent behind opaque security advisories, merely referring to “incidents,” erodes trust far more significantly than an honest apology ever could.
This context makes the recent communication from Checkout.com particularly refreshing.
The ShinyHunters hacking group is reportedly responsible for an intrusion that compromised data from a legacy third-party cloud storage system managed by Checkout.com.
Mariano Albera, the company’s Chief Technology Officer, indicated that less than 25% of Checkout.com’s existing merchant base was impacted, tied to a system utilized strictly for internal documents and merchant onboarding processes prior to 2020.
Fortunately, the breach did not extend to Checkout.com’s active payment platform, and no payment card data was accessed; rather, the compromised system was outdated and used exclusively before 2020.
Following the breach, Checkout.com encountered a ransom demand from the hackers (who had extracted data rather than encrypting it).
These criminals threatened to disseminate the stolen information on the dark web if their demands were not met.
What distinguishes Checkout.com’s response is its refreshing candor. The company refrained from offering excuses; instead, they disclosed the breach publicly and issued an apology.
This was our mistake, and we take full responsibility. We are sorry.
This sincere admission is certainly a rarity.
Checkout.com went a step further, asserting:
We will not be extorted by criminals. We will not pay this ransom… We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support their research in the fight against cybercrime.
This compelling stance starkly contrasts the usual corporate recitations of “We’re investigating,” “We take security seriously,” and “We have no further comment at this time…”
Nonetheless, while this proactive communication is commendable, it is essential to temper our enthusiasm.
The uncomfortable reality remains that, despite Checkout.com’s swift and forthright disclosure, its security shortcomings persist unabated.
The breach stemmed from a legacy system, one apparently forgotten and left unmonitored since 2020. Legacy systems are fraught with risk—often remaining accessible, misconfigured, and unpatched.
Ultimately, the data breach occurred due to the failure to adequately decommission a legacy data storage system. While Checkout.com’s handling of the incident deserves praise, it nonetheless reveals a lapse in procedural diligence.
Other organizations can sidestep similar predicaments by proactively addressing vulnerabilities before malicious actors exploit them.
Security teams should undertake pre-mortem assessments, evaluating systems that may have been neglected, identifying legacy platforms still operating with valid credentials, pinpointing easy targets for attackers, and cataloging data residing on systems currently devoid of adequate security monitoring.
By embracing a more proactive approach to data security, companies can detect vulnerabilities before they metamorphose into breaches, thereby alleviating the quandary of whether they ought to say “sorry” when disaster strikes.
Source link: Bitdefender.com.
