When you look at the worst responses to data breaches, one thing becomes clear: when an incident response makes a breach worse it is usually characterized by a lack of preparation before the breach and poor execution of a response plan after the breach.
However, not all breaches result in millions of dollars in fines and damages and resigned CEOs. Whereas a poor incident response plan tends to capture the media’s attention, there are a few companies who have managed to escape relatively unscathed after experiencing massive breaches, in large part due to their advanced planning and superior response.
Below is a list of 5 companies that bucked the general trend and earned high marks in their incident response when they were faced with a data breach, and in doing so, saved themselves millions in fines, loss of business and reputation.
1. Adobe Breach (2013)
The Adobe breach of 2013 was a unique situation. Whereas most hackers who steal data aim to exfiltrate personal information of customers, including personally identifiable information (PII), personal health information (PHI) or financial information, in order to sell them to the highest bidder, the Adobe breach also targeted portions of the source code of several of the company’s creative software, including Adobe Acrobat, ColdFusion, ColdFusion Builder, and other Adobe software.
The loss of source code was particularly troubling to Adobe, and made the response that much more difficult because hackers now had the opportunity to discover and exploit zero-day vulnerabilities within Adobe’s products. Adobe spent weeks doing forensic investigations and conducted meetings “every four hours for forensics updates,” according to Adobe CEO Brad Arkin.
After the company conducted a thorough analysis of the stolen source code from its products as well as partner products that were exposed in the breach in order to determine the risk its customers were facing, Adobe correctly determined that there wasn’t any risk of a vulnerability being discovered/exploited from the amount of source code that was stolen.
Along with the source code, hackers stole 3 million encrypted credit card numbers, customer usernames, passwords, and email addresses that impacted 38 million customers. Adobe was quick to notify its customers of the breach and deliver a flurry of password reset emails to its user base.
Some of Adobe’s success can be attributed to its Security Coordination Center, dubbed the “uber incident response team” by Arkin. Adobe also brought in several third-party vendors to help in its internal forensics investigation. Adobe had conducted “table-top exercises for decision-making models” which went a long way towards minimizing friction between different internal teams and outside vendors and helped clarify who would be in charge of what decisions.
2. Home Depot Breach (2014)
Home Depot’s breach, revealed in September 2014, had a lot of similarities to the Target breach. In both cases, hackers targeted a well-known retailer. Both instances involved credit card information being stolen as customers swiped their cards at the checkout. Both retailers were infiltrated when attackers compromised a third-party vendor to gain access to the point-of-sale systems and install malware. And both retailers were targeted during the most important shopping season for their respective sectors (spring and summer for Home Depot and holiday season for Target).
However, whereas Target faced harsh criticism from customers and the media as well as lost revenue and a sharp drop in its stock price, Home Depot got away fairly unscathed. That’s despite the fact that 56 million payment card numbers were stolen from Home Depot compared to the 40 million stolen from Target.
One of the big differences between the two cases, which may have led to the vastly different outcomes, was the way the breach was communicated to customers. Target waited a week to notify customers after it had confirmed that their payment system had been breached. Home Depot, on the other hand, notified its customer of a possible breach before it was confirmed by its investigation and forensics team. Home Depot also offered free credit services to affected customers who used their payment card as early as April of 2014.
3. Heartland Payment Systems Breach (2008)
In January of 2009, Heartland announced a massive breach in its payment card processing system that exposed payment card information of over 100 million individuals (some estimates put the number closer to 130 million cards) across 650 financial services companies. At the time, it was the largest ever breach of card data.
One of the things Heartland did differently was instead of focusing on the breach itself, it decided to raise awareness among its consumers of data breaches. Heartland took several steps to open communication between companies who face data breaches in order to learn from each situation. “Payment processors should, for the betterment of our industry, share what happened,” Bob Carr, the then CEO of Heartland, would go on to say in an interview. In an effort to help avoid the same fate of other payment processors, Heartland founded the Payments Processing Information Sharing Council, an unprecedented move for a company who experienced a massive breach.
A few months after the breach, Heartland launched their E3 solution, an end-to-end encryption technology built to protect credit and debit card data at the moment the card is swiped. In reaction to Heartland’s new security measures, which was the first of its kind in the U.S., Gartner Analyst Avivah Litan remarked Heartland “is basically leading the way for the rest of the industry.”
Heartland’s response to the breach led other processors such as Wordplay US to introduce similar end-to-end encryption. Heartland followed this up by launching Heartland Secure, which combined end-to-end encryption, tokenization technology, and EMV electronic chip card technology to protect consumers and business owners against card-present data fraud and credit card breach.
4. Lockheed Martin Non-Breach (2011)
In early 2011, EMC’s security division, RSA, discovered a massive data breach that resulted in stolen information relating to SecurID two-factor authentication, a product sold by RSA.
Soon after, Lockheed Martin, a leading defense contractor, discovered an intruder in its network using credentials acquired from the RSA breach. To be clear, no data was stolen during the breach, in part because the breach was discovered so quickly. The response to the breach was as equally impressive as the speed with which Lockheed discovered the breach.
When Target’s point-of-sale payment system was breached, the intruder triggered an alarm, which was promptly ignored by Target’s IT security team. Lockheed Martin nearly suffered the same fate. “We almost missed it,” said Steven Adegbite, the then Director of Cybersecurity for the company, “we thought at first it was a new person in the department… but then it became really interesting.”
Once Lockheed noticed the anomalous behavior of the intruder, they responded by deploying their homemade framework named “cyber kill chain.” With this, Lockheed was able to track every movement of the intruder and raised an obstacle in front of every attempt at stealing data from Lockheed’s network.
While most incident responses focus on the activities one must do after data has been stolen, one key element of an effective incident response is the discovering of a breach as early as possible so as to minimize the damage. The “kill chain” framework, adopted by Lockheed, implies Lockheed adhered to the philosophy of “assume breach,” and it helped protect their network.