How To Survive A Data Leak From Your eCommerce Store

When shoppers share sensitive personal information with online retailers, they expect names, addresses, and credit card numbers to remain private. They trust retailers to care enough about privacy to implement secure systems and follow security best practices. Personal information is as valuable to criminals as it is to retailers, who are engaged in a constant battle of wits with criminals. Often, criminals have more resources and greater technical expertise, which means that, sometimes, the battle will be lost.

It is embarrassing to leak personal data, and, if the business is careless where security is concerned, it is a betrayal. But a security breach does not have to destroy an eCommerce business. A survey carried out this year by CompTIA showed that most Americans are willing to return to an online store that has leaked personal data, but only if there is evidence the retailer took the leak seriously, dealt with it transparently, and has taken steps to secure its platform.

So what should a retailer do when they notice a security breach that involves the loss of sensitive data?

#1 Shut It Down

The first step is to stem the flow. By the time a data leak is discovered, the attacker has probably exfiltrated the data they want, but perhaps not. Shut down the affected servers as soon as possible. If it’s possible to close the leak while keeping the store online, do so, but the priority is to remove the attacker’s access. Shutting down the servers also helps with your investigation: vital evidence can be lost when servers remain in production.

#2 Launch A Preliminary Investigation

Next, carry out an emergency investigation. The goal is to discover how and when the attacker breached your store. What data was stolen? How was it stolen? A thorough investigation comes later. The immediate concern is to establish the parameters of the attack and develop a plan of action. Once you have an understanding of the attack vector, mitigate the cause of the breach as soon as possible.

#3 Keep Customers Informed

Let your customers know what is happening. Evidence shows that businesses that are transparent about data breaches suffer less damage to their reputation. Customers forgive mistakes; they won’t forgive dishonesty or secrecy. It is a good idea to publish and promote a blog post on social media that discusses the details you have available. Omit details that might encourage further attacks, but be as open as possible.

#4 Form A Task Force

Once the immediate danger has been dealt with, form a task force of executives, system administrators, and staff with security experience. The role of the task force is to perform a post-mortem that investigates how the leak happened in more detail. That includes process errors that led to the vulnerability.

For example, if the problem was a vulnerability in an out-of-date eCommerce application, the task force should investigate how it was allowed to become outdated and what processes changes are required to make sure it doesn’t happen again. The goal is not to apportion blame, but to discover information that can be used to improve security processes.

Pragati Verma published an excellent guide to conducting a post-mortem:

“If your first instinct is to put everything behind you and move on, think again. Whether your company is a bank, a healthcare company or a giant retail chain with millions of card-swiping customers, you need to conduct a thorough post-mortem to determine what went wrong — step-by-step, hack-by-hack and mistake-by-mistake.”

Finally, publish an in-depth blog post detailing the findings of the post-mortem. It should say how the attack happened, which data was stolen, and what the business has done to make sure nothing similar can happen again.

A data leak will hurt your business, but the extent of the damage depends on how you handle it. Be transparent, take customer concerns seriously, implement security precautions to make sure it doesn’t happen again, and customers may forgive you.

___________

Sharing is caring!