A guide to data breach response: What organisations should know
Whether we like it or not, we still cannot set aside the fact that bad actors are becoming more sophisticated and crafty in their methodologies for hacking a target organisation’s system. While it is true that the safeguards and policies that you implemented ensure that this will not happen in your organisation, there could still be a possibility that you will incur a breach, especially if you did not hire a DPO to oversee your cybersecurity hygiene.
When that happens, what will you do? Whether the hackers stole personal data from your corporate server, an employee stole customer information, or there was an accidental posting of personal data on your company’s website, you may be wondering what to do next. But before we delve into it, let’s first tackle the recent data breach of Starbucks affecting 219,000 Singapore customers.
Hacker sells stolen personal data of 219,000 Starbucks customers in Singapore.
The Starbucks branch in Singapore, which is part of the popular American coffeehouse chain, has admitted that it had a data breach that affected more than 219,000 customers.
The first sign that they had been broken into was on September 10, when a threat actor posted on a popular hacking forum an offer to sell a database with sensitive information about 219,675 Starbucks customers.
The owner of the hacking forum, who goes by the name “pompompurin,” joined the conversation to back the validity of the stolen data. He said that the samples provided show that the data is real.
Today, Starbucks Singapore sent out letters to notify its customers of a data breach, explaining that hackers may have stolen their name, gender, date of birth, mobile number, email address, and residential address.
Customers who have used the Starbucks mobile app to place orders or the chain’s online store to buy items from one of its 125 shops in Singapore are the only ones affected by this breach.
The company said that no financial information like credit card numbers was lost because Starbucks does not store that kind of information. However, even though account passwords, rewards memberships, and credits aren’t thought to be affected, Starbucks Singapore advises customers to change their passwords and stay on the lookout for suspicious messages.
The hacker says that he has already sold one copy of the stolen data for $3,500 and is willing to sell at least four more copies to people who are interested. This is done to keep the value of the offered data artificially high since selling it to a lot of threat actors would lower its value as multiple attacks are launched at the same time.
This method makes it more likely that phishing, social engineering, and scams will be used against Starbucks Singapore customers.
What to do when a breach happens to you?
It is important for every organisation that suffered a breach to immediately respond to it as mandated by the Personal Data Protection Obligation (PDPA). In some instances, when there is a prompt response from the organisation, the PDPC may simply give directions for the organisation to follow.
In case there is a breach, under the Notification Obligation of the PDPA, organisations in Singapore must inform the Commission as soon as possible, but no later than three (3) calendar days; and inform the affected individuals as soon as possible, either at the same time as they tell the Commission or after they tell the Commission.
In the case of Starbucks, it informed its customers who are affected that their personal data could have been in the hands of bad actors, such as their name, gender, date of birth, mobile number, email address, and residential address.
Moreover, to avoid any further data loss, the organisation must deploy its data breach response team if it has any. The organisation must secure its systems as soon as possible and fix vulnerabilities that may have caused the breach.
Suppose the organisation does not have an in-house cybersecurity expert to investigate what caused the breach or to provide a remedy for such breach. In that case, it can assemble a team to conduct a comprehensive breach response.
Prevention is always better than cure.
Vulnerabilities can be present in your organisation which could be exploited by bad actors resulting in a breach. Regardless of what policy or safeguards you put to prevent such a breach, if you did not conduct any cybersecurity scans or penetration testing in your server housing personal data, there is a probability that vulnerabilities that aren’t visible to the naked eye are present and may pose a threat to your system.
With this, to prevent any future breaches and ensure that there will be no instances of vulnerability exploitation from bad actors, it’s better to conduct regular penetration testing to check such vulnerabilities so that they can be patched as soon as possible.
Furthermore, to ensure PDPA compliance, such as for the Notification obligation, and to ensure that your organisation’s cybersecurity hygiene is always upheld, you can outsource a DPO if your organisation don’t have one.
Aside from the fact that it is required under the PDPA to have DPOs, such officer helps organisations with their policies to ensure that they comply with data protection obligations under the PDPA.