Data Breach at Michael's Company - Case Study Example

Data Breach at Michaels Company By (Name) Course: Professor: Institution: City: Date: Data Breach at Michaels Company Michaels Company is one of the largest arts and crafts chain store in the world. The company reported data breach at the end of January 2014. Through its press release, the company reported that around 2.6 million cards that were used in payments at the store had potential exposure between May 2013 and January 2014. Additionally, it reported that close to four hundred thousand cards had been affected at Aaron Brother stores between June 2013 and January, 2014 (Walters, 2014). It illustrated that both the credit and debit card numbers and their expiry dates had been severely exposed. Nevertheless, personal information for instance addresses, PINs and names were safe. The company first acknowledged the possible data breach in January 2014, following the largest data breach recorded in history by Target Company which affected over 100 million customers (Walters, 2014). From the statement posted on the company’s website on Thursday, the company disclosed that two security firms found evidence of possible data breach at Michaels and its subsidiary, framing company, Aaron Brothers. The attack at Michaels mostly invaded the point-of-sale systems of the company. The company has 1135 stores and 119 stores of its subsidiary. The disclosure of this data breach was made public from a joint press release and a statement on the company’s website. According to Irving, a Texas based Michaels, two independent security firms that they hired to investigate security breach at the company initially found no threat. It took weeks of continuous analysis for the company to realize evidences confirming that their systems and at its subsidiary, Aaron Brothers had been hawked. The hawkers used highly sophisticated malware that both the two security firms had not encountered before. These cyber criminals planted the malware on cash registers at the company’s stores across the nation stealing approximately three million debit and credit card numbers of the customers (Cease, 2014). The details about the data breach as revealed by the company was a bit sparse since it was made as part of an ongoing investigation. Important note is that, the announcement was made shortly after Brian Krebs, technology writer, reported that the Company was investigating data breach (Arlitsch & Edelman, 2014). The first reaction of the retailer was to send notification letters to its impacted customers. The letters directed that the company learnt of fraudulent activities on the cards that had previously been used in the company. A crime for cash Financial fraud experts said Michaels Company’s point-of-sale (POS) attack was waged on cash and not cards. Unlike other massive data breach against giant U.S., retailers for instance Target which aimed at stealing debit and credit card numbers and selling in Dark Web, Michaels attack aimed at compromising the PINS and card numbers to be used in fraudulent ATM withdrawals (Arlitsch & Edelman, 2014). The perpetrators had to attack the customers PINs at the terminal since the encryption of the PIN was so strong such that after it passed the terminal it was impossible to get the PIN. The Michaels POS swap sounds a low tech scheme but it forms one of the several similar attacks on hundreds of retail stores. This attack confirmed tactics that the company analysts had previously suggested but had not been able to definitely pinpoint. Analysis of how Michaels Company Managed the Data Breach Investigation The first step that the company took in response to their customers’ data breach was a well-documented investigation by two security firms which confirmed the data breach. The security firms elaborately identified the exact kind of data that was compromised and the reason for this possibility. For instance the firms identified that the customers’ debit and credit card numbers and PINs were the sections of the data compromised (Shields, 2015). Most parts of this investigation was monitored by the company’s legal counsel. This was in the light of managing and doing assessment of any liabilities relating to the statutory requirements that the company could need to act upon as soon as possible. This was also mandated to ensure that the investigation remained protected by attorney-client privilege. The company also used law enforcement agency, FBI to help mitigate their data beach investigation. Notification This is the most important decision that the company’s management had to make after the conclusion of the possible data breach of approximately three million customers of the company. The CEO of the company notified their affected customers through press release and written notification of the company’s website of this data breach. The notification of customers about their compromised card status enabled the customers and the company to take measures to prevent avoidable losses. Most companies and customers respond by notifying their individual banks for replacement and upgrade of security. Being forthright with the customers about this data breach helped to engender transparency and loyalty of the company with its business partners and customers (Hemphill & Longstreet, 2016). Data Breach Response Plan This plan extensively details how the company responded to the data breach of its customers. The first step that the company took to mitigate the data breach was assembling of a data breach response team. This team was set to foresee an effective and efficient response to the customers’ data breach. The response team was composed of IT representatives, incident lead, HR representatives, customer services representatives, public relations, and legal and privacy representatives (Becker, 2014). The incident lead had extensive knowledge of the company’s system security and coordinated the overall response effort. The IT representatives identified the root cause of the data breach and initiated system’s security response. These responses included preserving evidence, taking the infected machine offline and securing the company’s machines (Becker, 2014). The privacy and legal representatives acted by assisting in directing of the data breach response to minimize risks of penalties and litigations. The public relations representatives acted as the central coordinator for the data breach communication to facilitate its consistency and accuracy. HR and customer service representatives guided the employees on how to handle the questions that customers had concerning the breach. The response team responded by carrying out various critical actions after the breach. The first action was immediately securing the data and containing the damages caused. They identified the extent and scope of the breach to have affected three million customer credit and debit cards. The team then executed security incidence declaration that prompted the CEO to address the issue through press release. The team also prescribed for both external and internal parties the duration within which the breach occurred, which as stated, was between May, 2013 and January, 2014 (Hoover, 2013). The team then compiled a list of the company’s outside vendors that they needed to engage after the breach. Some of those outside vendors included outside counsel, computer forensics experts, credit restoration services, and government agencies, specifically the FBI (Modi et al, 2015). The company considered providing free credit monitoring to the affected customers to extend its profound support. The effectiveness of the response plan was then assessed and documented by the company’s response team and auditors. The mitigation efforts of this response was also assessed to determine if any changes are required to make it better in case of another data breach incident. The company’s response plan through its response team is constantly updated and evaluated to ensure it remains relevant in the continuously changing technological world. Among the evaluated and updated areas are the IT security response processes, representatives in the data mitigation team and awareness of the data security issue by the employees. The company constantly monitors the changes in federal and state laws that address data breach notification, obligations and legal requirements. The Company’s communication strategy The company’s communication about the data breach incorporated various crucial communication management elements geared towards containing the situation. The first element is integration and incorporation of public relations and communication plan into the data breach crisis management. The second element depicted in the communication of the data breach is the plan that the company had to mitigate the crisis. This is evident from the way the company formulated and updated its response to data breach avoidance plan to prevent any future data breach occurrences. This plan is essential in effective and coordinated fact gathering, strategic statutory and litigation positions’ identification for swift data breach response (Subashini & Kavitha, 2011). The other element of the company’s data breach communication is control of the data breach narrative. The company used various media platforms to get the message to its customers as soon as possible. Some of the platforms the company’s management used includes the use of press release, postings on company’s website and sending of emails to the affected customers. The content of the communication was precise, succinct and delivered consistently to the external and internal components of the organization (Kern et al, 2002). The other element is decisiveness of the message communicated by the company. Through its executives, the company decided to give the affected customers at least a year worth of free credit monitoring and identity protection. Also, the company availed its plans to develop a surveillance center for the prevention of fraud and cyber crisis. Creation of data breach avoidance plan The company developed their data breach avoidance plan using various steps to prevent future hawking. The first step in this plan was creation of a data map. The data map created by the company’s IT team encompassed types of data, how the data is received, where and how it is stored, how the data is transmitted, how it is secured, creation of backups and those with clearance to alter the data (Zissis & Lekkas, 2012). The company’s data map was created by compliance professionals in the IT department proficient with various diagramming software. This step clearly illustrated how information should flow through the company’s system and formed a critical step for ensuring the company’s compliance with federal regulations. The second step is categorizing the company’s data as either sensitive, private or public data (Sonnenreich et al, 2006). The sensitive or confidential data is placed as the high risk data protected by confidentiality agreements and has the highest level of security in the organization. Private or internal data contains proprietary information and some company contracts. They are not protected by binding agreements or federal laws but still the organization award them some level of security control to avoid possible misuse. The public data is awarded the lowest security level by the company. This classification has enabled the company to assign proper security control of its data thus lowering chances of breach. The third step is the implementation of data security safeguards (Choobineh et al, 2007). For establishment of security for both the electronic and physical data, the company developed its data management and protection measures. The first measure is encryption of all its sensitive data and creation of firewalls, strict passwords and network segmentation. The second measure is constant monitoring of the company’s communication systems such as video surveillance, telephone calls or internet use. The other measure is implementation of employee training programs which address data protection measures and internal policies of the company. The fourth step is adherence to data security representatives (Chen et al, 2006). The company made several representations pertaining to their data security in written terms of service and privacy policies. This helps the company to ensure that all its clients’ data is handled and protected in accordance with the security representation. The company, thus work closely with security professionals to regularly audit the security related issues at least twice every year. Explicit statements pertaining to the data security is stated and adhered to by the company. The fifth step is assessment of the relationships that the company has with its third party vendors. This step helps the company to conduct due diligence potential vendors’ privacy practices and data security (Rhee et al, 2009). It also facilitates appropriate data protection in case of future contractual agreements. The company reviewed all its existing third party vendors to determine whether the existing contracts encompasses requirements of data protection, required notification in case of any breach and the right to audit the third parties’ security measures. The company is thus in a good position to alert its customers in case there is any red flag and advise them appropriately. The last step of the future data breach avoidance plan of the company is its purchase of cyber insurance (Pearson, 2009). The company urged its clients to adopt insurance policies and determine the extent of protection they could receive from the cyber security breach in the future. The existing cyber insurance policies are varied in range of their coverage and premiums. The company thus requires its customers to negotiate for the coverage that best accounts for hawking activities of credit and debit security data. Conclusion Michaels Company reported that around 2.6 million cards that were used in payments at the store had potential exposure between May 2013 and January 2014. Financial fraud experts said Michaels Company’s point-of-sale (POS) attack was waged on cash and not cards. Following the attack, the management took decisive response approaches to mitigate the crisis. These include conduction of investigations, notification of the affected customers, and effecting the data breach response plan directed by the company’s data breach response team. The company then developed an extensive data breach prevention plan to avoid any future cyber crisis within the company. The success of the communication management of the data breach by the company resulted from decisiveness, narrative control, and integration approaches that were incorporated in the messages that it used to address the data breach issue. Reference list Arlitsch, K. and Edelman, A., 2014. Staying safe: Cyber security for people and organizations. Journal of Library Administration, 54(1), pp.46-56. Becker, M.J., 2014. The consumer data revolution: The reshaping of industry competition and a new perspective on privacy. Journal of Direct, Data and Digital Marketing Practice, 15(3), pp.213-218. Cease, C.C., 2014. Giving Out Your Number: A Look at the Current State of Data Breach Litigation. Ala. L. Rev., 66, p.395. Chen, C.C., Shaw, R.S. and Yang, S.C., 2006. Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system. Information Technology, Learning, and Performance Journal, 24(1), p.1. Choobineh, J., Dhillon, G., Grimaila, M.R. and Rees, J., 2007. Management of information security: Challenges and research directions. Communications of the Association for Information Systems, 20(1), p.57. Contemporary Public Speaking, First Edition. Faculty of Business, Government & Law, University of Canberra http:www.canberra.edu.au. Hemphill, T.A. and Longstreet, P., 2016. Financial data breaches in the US retail economy: Restoring confidence in information technology security standards. Technology in Society, 44, pp.30-38. Hoover, J.N., 2013. Compliance in the ether: cloud computing, data security and business regulation. J. Bus. & Tech. L., 8, p.255. Kern, T., Willcocks, L.P. and Lacity, M.C., 2002. Application service provision: Risk assessment and mitigation. MIS Quarterly Executive, 1(2), pp.113-126. Management Communication, First Edition. Faculty of Business, Government & Law, University of Canberra http:www.canberra.edu.au. Modi, S.B., Wiles, M.A. and Mishra, S., 2015. Shareholder value implications of service failures in triads: The case of customer information security breaches. Journal of Operations Management, 35, pp.21-39. Pearson, S., 2009, May. Taking account of privacy when designing cloud computing services. In Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing (pp. 44-52). IEEE Computer Society. Rhee, H.S., Kim, C. and Ryu, Y.U., 2009. Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28(8), pp.816-826. Shields, K., 2015. Cybersecurity: Recognizing the Risk and Protecting against Attacks. NC Banking Inst., 19, p.345. Sonnenreich, W., Albanese, J. and Stout, B., 2006. Return on security investment (ROSI)-a practical quantitative model. Journal of Research and practice in Information Technology, 38(1), pp.45-56. Stoneburner, G., Goguen, A.Y. and Feringa, A., 2002. Sp 800-30. risk management guide for information technology systems. Subashini, S. and Kavitha, V., 2011. A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), pp.1-11. Sweeney, L., 2002. K-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05), pp.557-570. Walters, R., 2014. Cyber-attacks on us companies in 2014. Heritage Foundation Issue Brief, (4289). Zissis, D. and Lekkas, D., 2012. Addressing cloud computing security issues. Future Generation computer systems, 28(3), pp.583-592. Read More