Following the news of the Paddy Power data breach http://www.paddypowerplc.com/media/news/paddy-power-advises-customers-historical-data-breach, Mark James and David Harley at ESET and Troy Gill at AppRiver comment on the importance of notifying customers as soon as possible and why customers shouldn’t panic:
Mark James, technical team leader at ESET, explains the importance of notifying customers as soon as possible:
“It is imperative not only for customer relations but for security sake that these breaches are reported to the end users as soon as possible. I understand there are a set of guidelines the ICO impose regarding notifying them (24 hours) and the public (no time frame) but I personally believe the damage is much worse the longer you leave it.
“Paddy Power state that they have “not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way” but often the data is not used for that purpose - it’s the basis for other activities and that’s why the end users need to be informed as soon as possible.
“649,055 users pieces of potential data that can be used to gain access to other online accounts inc customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answers is always an issue.
“The only thing we the end user can do to mitigate the damage is to change the password if used on other sites but it’s also things like secret questions and answers. If we are aware of the breach we can ensure these answers are not used in the future.”
Troy Gill, senior security analyst at AppRiver on why customers shouldn’t panic:
“There is no need for panic here since no financial or password info has actually been exposed. It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username. Of course these events at the very least serve as a great reminder to keep up good security practices – utilizing different passwords for each account - even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road. However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed.
“As more disclosure laws are being implemented all the time, I expect to see an upward trend in data breach disclosures over the near future. In this case it appears they only recently verified that the data had actually been stolen back in 2010.”
David Harley, ESET Senior Research Fellow says:
“Intentional long-term non-disclosure is not new. In fact, the trend recently has been away from that because in several jurisdictions non-disclosure may incur legal sanctions if it’s not in the interest of its customers. Even before that, some companies found that the sky didn’t fall if they advised their customers that they were potentially affected by a breach, and that some of those customers even appreciated it. It may be, though, that in the light of some recent cases, companies will be less likely to volunteer information until it becomes necessary, for fear of inviting legal action, especially class actions.
“Using different passwords is still best practice, and essential when it comes to sites where sensitive data such as banking info is concerned, despite Some people (notably in a recent Microsoft paper) who argue that this is overkill in some instances.
“For a customer, if your service provider drops the ball, it doesn’t matter how good your password is. Without getting into what you need to do in individual cases (which will vary hugely), it’s sensible never to assume that the provider will provide you with perfect protection. If they let you know, act on it. If you’re not aware of any issues, it still makes sense to provide yourself with the best protection you can in any instance where your data matters (is sensitive). Don’t share passwords across sensitive accounts, use alternative/augmentative technologies (eg multi-factor authentication) where it’s available.