Notice I said REDUCE, not ELIMINATE. J.D. Wetherspoon is a British restaurant chain that was hacked and compromised information on about 650,000 customers. Although the information was stolen in June 2015, the breach was not discovered until December 2015. While the data was not terribly sensitive (very few credit card numbers; mostly name, email address, birth dates and the like), it still is a breach and customers were not too happy about it.
Why did it take six months to discover? Because the web site that was hacked was outsourced. If I am about to sound like a broken record …. well, I am.
So what did Wetherspoon do wrong?
- The web site that was hacked was an old site. For whatever reason, they did not take the old site off line. They were not using it. Not using it probably means not patching it either. They used an outside vendor for that site and when they built the new site, the used a new vendor. Likely the contract with the old vendor was shut down.
Also likely, there was nothing in either contract that holds the vendor responsible for data breaches. Betcha dinner.
2. Insufficient management of the vendor responsible for their web site. BY DEFINITION, the management was insufficient if the data was breached, not encrypted and not discovered for six months. Anyone want to argue that point? Outsourcing does not mean that you can manage the vendor from the beach.
3. It would appear – from their action or inaction – that they did not have an cyber incident response plan. That would not be unusual for a restaurant chain. However, with all the breaches that we have recently seen at restaurants (especially hotel restaurants), that is probably not a good plan. If your incident response plan is on someone’s to do list, you probably need to move up the priority. If something terrible happens, you don’t want to have to tell the CEO or the Board that the incident response plan is on Joe’s to do list, so right now, in the midst of the crisis, we are going to wing it. That did not work out too well for Sony or the Office Of Personnel Management. Probably won’t make the CEO happy. But, in your job interviews, you can tell your new prospective employer that you now understand the importance of a plan. In Wetherspoon’s situation, the magnitude of the crisis was less because the sensitivity of the lost data was less. But, it does not mean that it wasn’t a reputational crisis.
Still, (1) having a plan for the entire lifecycle of your data, (2) managing vendor risk and (3) having a TESTED incident response plan doesn’t seem like asking for too much.
What do you think? How would your company do if something like this happened to you? NOW is the time to start thinking about it.
Information for this post came from SC Magazine.