Tweet

Preparing for Security Breaches

Written by: Glen Morris

Article Overview: A major security breach of sensitive customer data is a nightmare every business with digital consumer records needs to plan for. It may be impossible to stop security breaches, but it is possible, and even a legal obligation, to have a process in place to manage and minimize the damage that a security breach can cause. Here's how to do it.

Preparing for Security Breaches

In March of 2007 online auction powerhouse eBay was hit repeatedly by a hacker identifying himself as Vladuz, believed to be a Romanian fraudster long sought by Romanian police. Vladuz posted his name on several eBay pages and taunted eBay to catch him. He was after more than fame, though. According to an article in eWeek, Vladuz was also posting fake items for sale faster than eBay could take them down, and the payments by the winning bidders went to him. Vladuz also posted the account information of 15 individuals, including their banking info, mother’s maiden name, credit card numbers, and much more.

How bad the Vladuz incident was depends on who you listen to. According to eBay, Vladuz did nothing more than many hackers have done at eBay. According to eBay’s critics (especially at firemeg.com), Vladuz was either extremely lucky or one of the most talented, and dangerous, hackers in the history of e-commerce. In any case, the incident raised a lot of issues that any business selling products or services on the Internet ought to consider. If a security breach can happen to a company with eBay's resources, it can happen to smaller businesses, too.

All things considered, it's hard to believe eBay's version of the incident. For public relations sake, EBay has a lot or reasons to minimize the damage Vladuz caused, and some of the things Vladuz did on the eBay site have rarely been seen before.

Among other things, Vladuz made postings to different groups on the eBay Website that only an eBay employee should have had the security access to be able to do. In addition, the rate and volume of the fake auctions Vladuz was posting, using stolen but still valid user accounts, could have only been done if Vladuz had cracked the security surrounding eBays seller accounts databases and was using some kind of automated tool to make the auction postings. Even a large team of people could not have posted so many items in so little time (by some estimates over a million fake items were posted by Vladuz).

In fact it is likely that there are eBay specific software tools for sale designed to help hackers ripoff eBay customers, just as there are rootkits for sale at rootkit.com, for somewhat similar purposes. Given eBay’s size, it’s not only a natural target for hackers, it’s a big enough target that it would be economical to develop and marketed specific software for the sole purpose of bilking eBay buyers out of their money. If true, it’s probably only a matter of time before other hacker applications are created that target specific shopping cart applications, and that could spell trouble for smaller businesses online.

Most small businesses don’t even have a security staff, let alone one that continuously monitors the security of their e-commerce Website. For smaller businesses, it’s more likely that customers will notice security breaches before anyone inside the business does, and because of that businesses need to have a system in place that will bring security breaches reported by customers to the attention of the right people. Setting up a process for this is actually fairly easy.

Many of the companies used as bait by phishing attacks, like PayPal and Washington Mutual, have dedicated email address for customers to report phishing attacks to. Phishing attacks send out email asking consumers to update their ID or account information and threaten consumers with suspension of their account if they don’t provide the information. A few of the millions of people who receive these phishing attempts fall for it, but the correct response is to forward the email to the security section of the company being used as bait. Usually it’s spoof@something.com or some variation, like fraud@something.com.

This approach costs little if anything to implement, and it could save your company a lot of heartache and expense. If you have an e-commerce Website, you need to make your customers aware of where they should send email in case they see anything suspicious, and you need to designate a person, or team, to constantly monitor that email’s mailbox.

Another thing your online business needs to do is understand and comply with the growing number and complexity of state and federal laws regarding what companies are required to do in case of a known security breach. In California, businesses are subject to the following law:

1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. In effect, even if a business was not responsible for the security breach in the first place, it is still liable for any cost to the consumer if it doesn’t immediately notify the consumer about the security breach.

With identity theft becoming one of the most common and expensive crimes consumers may be subjected to, we can expect many states to follow California’s lead, and possibly go even further. This means every business should have a process in place to notify customers when their account information has been compromised. It can be done by phone, email or certified letter, just so it is done immediately. It will not be a good idea to wait until a security breach happens to set up the notification process.

It may be impossible to prevent security breaches, but it is definitely possible to minimize the damage they can cause businesses and their customers, and the sooner your business prepares for the worst, the better off you and your customers will be.

Related Articles
  Corporate Network Security Technology Comparison
  2012 – The Year of Cyber Espionage?
  Retail Security
  Security in the Digital Age
  How to search your employee’s computer and email (legally)

Article Tags: auction postings, bidders, credit card numbers, databases, ebay, ebay website, estimates, fake auctions, fame, hacker, hackers, little time, maiden name, powerhouse, public relations, sake, security breach, seller accounts, user accounts, vladuz



Related Forum Posts
Re: What's the best anti-virus/spyware software? - I use home AVG Internet Security and I'm pretty satisfied with it.
Marketing a company - Jeff, I know who my target market is: Defense contractor doing business with the Federal Government My product is: Providing security consulting services for companies that must abide the National Security requirements. How can I inform theses contractors about my services? Thanks Diane
Re: Google Calendar - Hi Mary, On FireFox go to Tools --> Options --> Security There is a box that says: Remember passwords for sites, check it. Next time you enter a PW firefox will ask you if you want to save it. If you go to security again you will see a button "Saved Passwords" click on it and it will open the list, with all the PW hidden, you can choose to hide or show them.
Re: Obama Wants Social Security for Illegals - [quote="wizzymi":2qb0dt9r]This monring I got a mail from the newswatch magazine I subscribed for that: Obama Wants Social Security for Illegals! Millions of illegal aliens in the U.S. Barack Obama’s plan gives a driver’s license to any illegal who wants one. But that’s not all. Obama’s plan gives illegals social security benefits and raises taxes for his health care plan to cover them. Who pays? You do. Driver’s licenses and government benefits for illegals. Higher taxes for us. That’s Obama’s plan. Obama. Too radical. Too risky. The National Republican Trust PAC is responsible for the content of this advertisment. In think this is a political propaganda, in order to discredit the candidancy of Obama. Or will it be true? What impact do you think will have on entrepreneurs in america?[/quote:2qb0dt9r] Sounds like his idea to give "tax breaks" to people who don't even pay taxes. But, he finally changed his answer to that one and supposedly his website says that there will be some employment requirements for these supposed "tax breaks". There appear to be plenty of potential reprecussions for entrepreneurs with Obama's plans. There isn't enough money in the Social Security system now - giving more away to people who haven't paid into it could be the final nail in that coffin. Shri
Preparing for the worst - long - These forums exist to help entrepreneurs start and successfully maintain their businesses, but I thought I'd get in a thread about entrepreneurs protecting their families should the unexpected happen, and they pass on in a car crash, plane crash, natural or man-made catastrophe. No one expects to die - even old folks! - but especially not young, healthy, strong folk like most of us here. But, as is evident any time you read the news...stuff happens. So, what happens to [i:4atezzia]your [/i:4atezzia]family if you die? Or are seriously injured...or if your house is leveled by fire or flood? Do you have a will? Does your will state who in your family is to get what, so that there will be absolutely no argument come probate time? Better to get everything in writing so that there will be no bad feelings when the time comes. Do you have insurance, including long-term disability insurance? If you've got a family, this is something you need to have, even if you have to scrimp and save to pay the premiums. Same goes for funeral insurance. Funerals are very expensive, and your family shouldn't have to come up with that money on their own when they're busy trying to grieve. What will happen to your business if you die? Is there enough money to pay your creditors? Will your family be able to figure out who your creditors are? Where your stocks and bonds are? And so on. We're living in an increasingly uncertain world. Preparing for the future is imperative.


Share this article with your friends. Fund someone's dream.

Leave a comment below or share on the left and you'll help support entrepreneurs in Africa through our partnership with Kiva. Over $50,000 raised and counting - Please keep sharing! Learn more.

Tweet

Newsletter

Get advice & tips from famous business
owners, new articles by entrepreneur
experts, my latest website updates, &
special sneak peaks at what's to come!

Name:
Email:

Popular Articles

Igniting Your Unstoppable Business Destiny

Unspoken Yet Important Rules for Book Proposals

Selling What Sizzles vs. Delivering Real Value

Suggestions

Email us your ideas on how to make our
website more valuable! Thank you Sharon
from Toronto Salsa Lessons / Classes for
your suggestions to make the newsletter
look like the website and profile younger
entrepreneurs like Jennifer Lopez.