Supplier Data Breach Response Guide

So you’ve heard there’s been a breach and you’re worried your data or your company’s data might have been stolen?

This happens a lot, and quite often it's days or even months before you find out exactly what was accessed and what the real risk is. However, that doesn’t mean that there’s nothing you can do to protect yourself and your company.

Cyber attacks can happen to anyone, fund administrators Mainspring recently suffered a ransomware attack, MSP solution Kaseya was also victim to a hack and let’s not forget the infamous Solarwinds breach. The point is: data governance and third party risk management can only go so far, these breaches happen (and more often than you think). Don’t blame your supplier, instead help them to respond to the issue as best as possible.

In this guide we’re going to walk you through:

1. What attackers will do with stolen data
2. What the hackers are looking for
3. How can you best protect yourself when you suspect you may have been involved in a breach?
4. What you should do now

What do attackers do with stolen data?

Mostly, they sell it. The initial attacker likely won’t be using the data themselves, they’ll be selling it onto another criminal who can use it for profit. How? A couple of ways:

Credential stuffing

This is a fancy term for trying out a username and password combination in lots of different systems. If the attackers were able to access your user details for a particular system, they will likely try that same combination in lots of different online accounts - webmail, bank accounts, crypto accounts, social media, home utilities, pension providers etc.

People reuse passwords and attackers know this. They’ll capitalise on it to try and get as much access as possible. Once they’ve got access to your accounts, they’ll try and scam you in whatever way they can: blackmail you, lock you out, or even steal money directly.

How to protect yourself? I know it’s obvious but… change your passwords! Change your password for the system you think has been hacked. But also change your password for anywhere you use that same password, or a similar password. If you used dominoes24 as your password for the breached account, but you use dominoes25 and dominoes26 elsewhere… you’d better change those too. And do it quickly.

When reacting to an attack, don’t be afraid to prioritise accounts. You should first change the password on the system that was breached, then change your email password (if an attacker gets access to your email they can ‘forgot password’ their way into other accounts), and then change any other similar passwords.

Once an attacker has access to your account, the first thing they’ll likely do is change your password, so you can’t get back in. On a side note - it’s a really bad idea to reuse passwords, for exactly this reason.

Most people reuse passwords because it’s easier to remember just one password, then use that everywhere than to remember hundreds of unique passwords, but you don’t need to remember your passwords anymore; get yourself a password manager. Lastpass and 1Password both have free versions you can use. Or, use the built in password managers from Google or Apple.

Wondering if your email account has been compromised? Head over to www.haveibeenpwned.com and type in some of your email addresses - it’ll tell you just how many data breaches you’ve been victim of.

Phishing/Vishing

If attackers have your email address or phone number, chances are they’ll be spamming you with calls, texts and emails trying to get you to do something you don’t want to do - give them data, click on a link, buy them a gift card.

If it was a company email address that was breached, attackers will use you as a gateway into the company systems. If they can get you to click on the malicious link they’ve sent you in a phishing email, they could potentially gain a foothold in your company’s IT systems and cause all kinds of havoc - stealing more data, deploying ransomware, or disrupting your operations.

How to protect yourself? You may not be able to stop the email/phone call attempts, but you can make sure you respond safely (i.e. not at all). This is not just about you - you need to make sure all of your employees are aware this might happen and to keep an eye out for it. Everybody should be on high alert. If you know what information the attacker has access to, you can be skeptical of anyone who uses that information in any communication with you.

Identity and Financial Fraud.

If attackers gain enough information, particularly financial or insurance information, they can use this to impersonate you to apply for services, credit or to spend your money.

How to protect yourself? It depends on what information you think they might have. If they could have credit or debit card details, it’s a good idea to cancel your cards and get new ones issued. If they could have other financial or identity info, consider getting a CIFAS flag on your financial accounts to reduce fraud risk. Please note this does also add on some additional checks if you yourself want to open up a bank account in the future. It's a flag saying "I am at high risk of fraud so double check to make sure it's me requesting the new account before provisioning it".

In the immediate aftermath of a breach, there will be a lot of uncertainty, a lot of ‘who’s to blame’ (not helpful) and a lot of ‘am I being too dramatic’? The reality is: the quicker you act, the better chance you have of protecting yourself and your company from any damage.

So what should you do now?

1. Your security and the ongoing security of your company is paramount so try to find out exactly what data was accessed. This will be an ongoing exercise. Don’t know today? Make an educated guess, and check again tomorrow.
2. Disconnect any access from the breached company. If a supplier has had a breach and they have a direct connection into your network, remove or block that connection (the attacker may move from their network to yours). If you can’t remove the connection (e.g. because they’re providing a critical service), find other ways you can protect yourself - what compensating controls can you put in place? Can you segregate the system they need access to minimise the attack surface?
3. Change any passwords that could have been accessed - plus any other accounts where you use the same password. Tell everyone who could have been affected to do the same. Don’t be afraid to talk to your network and employ a defend as one mentality.
4. Be skeptical of any communication attempts from anyone you don’t know. And tell everyone else to be cautious too. Do not click on links or open attachments in emails.
5. Make sure all your devices, applications, anti virus, security systems and especially your browsers are up to date. Yes - that means you have to actually install that windows update. Most cyber attacks are caused or significantly worsened by known vulnerabilities where a fix was available but not applied.
6. If financial information was stolen, consider cancelling bank cards or getting a CIFAS flag applied to your accounts.
7. If you don’t have one already, build a cyber security incident response plan. That way when the next third party vendor management breach happens - you’re ready.
8. Check you have the correct third party protection controls in place. Limiting your suppliers’ access and ensuring your vendors only have the data that’s essential will help reduce the impact of future attacks.
9. Consider using risk management frameworks, an incident management tool or a software solution like Risk Ledger to help respond faster, gain greater oversight as to what data suppliers have and minimise damage.

‍

Questions & Answers

How quickly should a data breach be reported?

According to the European General Data Protection Regulation (GDPR), a data breach should be reported without undue delay, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must also be notified without undue delay.

What constitutes a breach of data protection?

Under the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Organizations must notify the supervisory authority without undue delay. If the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must also be notified without undue delay.

Who do you report a data breach to?

Under GDPR, a data breach should be reported to the supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). If the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must also be notified.

‍