Keeping cybercrime secrets despite increasing data breach reports

We attempt to stay on top of cyber security and data breach topics here on the Online Tech blog, providing some industry perspective to news of large data breaches like those at Community Health Systems, P.F. Changs, eBay, Target and other unnamed victims.

Of course, we don’t cover them all. We’d be writing nothing else. You’d be reading nothing else.

Consider that along with reports today about Home Depot investigating a potential breach of customer credit card numbers, over the past two weeks alone there have been news reports on cyber attacks and data breaches at the following organizations: UPS, the Chicago Yacht Club, SuperValu, Schnucks, the Nuclear Regulatory Commission, US Investigation Services, Otto Pizza, Cedars-Sinai Medical Center, the University of Louisiana-Monroe, New Mexico State University, the University of Miami, PlayStation Network, JPMorgan Chase, Albertsons, Dairy Queen, the Memorial Hermann Health System, the Australian Federal Police, the Racing Post, the Summit County (Utah) Fair and half the population of South Korea.

That’s 20 organizations and one country for those keeping score at home. And there are probably others that escaped our radar.

In fact, news of large-scale data breaches have become so commonplace that CNET.com senior writer Seth Rosenblatt recently published an article about industry experts becoming concerned about alert fatigue – fearing “that people may throw up their hands and stop caring as news of even more breaches get reported.”

In that piece, Rosenblatt suggests that “companies are getting better at reporting security breaches, which also feeds into the perception that the increase in the number of breaches may even be larger than it really is.” He quotes Andy Serwin from analyst firm Morrison and Foerster as saying, “I’m not sure that we’re seeing more activity, or more attention on the activity.”

While that may be true, other reports issued just days later by different media outlets indicate that not all companies “are getting better at reporting security breaches.”

Take, for instance, the JPMorgan Chase data breach. As the Washington Post reports, rumors were circulating in cyber-security circles for a week that a major New York-based bank had suffered a data breach before JPMorgan confirmed it was victimized. The impression is that JPMorgan – like many companies before it – kept evidence of a cyber crime private until journalists forced the issue.

From that Washington Post story:

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that days, weeks or longer can pass between when a company learns of a cyber-crime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties – such as a credit card company – that the risk of fraud or identity theft is elevated.

Dairy Queen is being similarly criticized. The following is an excerpt from a story in the Minneapolis/St. Paul Business Journal, noting two days had passed since the chain revealed a potential data breach at its stores – an admission seemingly coerced by a KrebsOnSecurity.com report:

The Edina-based restaurant chain hasn’t said how many stores were affected, how widespread the breach could be or how long it may have lasted. Though its brief announcement included a statement that it is complying with an investigation into the matter, it did not indicate what else it may be doing to protect customers. There are no notifications to customers on the company’s home page, its Twitter feed or Facebook page. Company representatives have not responded to requests for further comment.

But it’s not all bad news. The same story applauds another Minnesota-based company for properly handling its data breach. Within 24 hours of disclosing its breach, SuperValu, Inc. “had issued a full list of affected stores, along with information about the duration of the breach and what the company was doing in response. Supervalu also established a call center for concerned customers.”

RESOURCES:
CNET.com: As security breach reports mount, experts fear alert fatigue
Washington Post: Hacked? Customers are the last to know
Business Journal: Dairy Queen’s silence on data breach could have ‘corrosive effect’ on consumer perception, crisis expert says