No Data is an Island: One Infosec Pro’s Experience As a Consumer Involved in a Data Breach

ID CARBONBLACK:691C0D510DBC895185A021E8894ADC72
Type carbonblack
Reporter Ryan Murphy
Modified 2018-10-03T13:23:22


British Airways (BA) was hit by a major breach that resulted in a loss of customer records. I was notified promptly by BA. I thought their public response was timely. By the way, this breach was announced while I was about to board a BA flight to Heathrow. My credit card was used to purchase my tickets multiple times. My card was not impacted during my travel to the UK and subsequent dates before yesterday Oct. 1.

Yesterday, I got a text from my credit card provider saying my card had been affected and requested I call them. Thinking this may be social engineering, I looked at the card and called the number on the back instead. As soon as I spoke to a person they simply said my card had been compromised. I kind of knew this was coming. Crypto much?

My credit card company took immediate action upon noticing strange behavior. They cancelled the card. No big deal. I am home until next week. My card is being sent and must be signed for. I have gotten text messages about its travel every step of the way. This is actually as great of a consumer experience as there could be given the circumstances. I lost no money. Fraud activity was detected immediately and I was notified as the consumer. Sept 5 to Oct. 1 is 24 days. 24 days or less for the attackers to use the data. That’s how volatile the data actually is. That’s a small window for the attackers to work within. If I factor in the size of the problem and how many attacks occur, I have to say, from a consumer response perspective, this is a pretty great response.

> _Putting my infosec hat back on for a second. _A third-party noticed activity immediately based on correlated data from the breach and behavioral activity that occurred. The baseline deviated. They escalated an alert. The alert was triaged by a human. The human confirmed the alert and reached out to take response action. The third party then closed the account and issued a new one. If a program could do this with accounts alone in real time would be a huge advantage to the defenders. The stream of events and correlation allows for real-time response with high confidence actionable intelligence.

All things considered, while it's concerning my data got breached, I feel that between my credit card company (and me) taking proactive steps such as: using separate passwords for sites, using one card for all travel purposes (limiting my risk to one card impacted), and understanding the realities of cybersecurity and eCommerce have helped to ease the pain greatly. While this might not be everyone’s experience with a breach, I wanted to take a minute to say that on this particular one, we seem to be doing a good job responding and I think we should take a minute to celebrate the wins as well.

The only way we win this is to pull together, share more and be less afraid to talk about what happened and get to the actual root causes. Unfortunately, it’s the price of doing business today. We still have lots of work to do. We need to continue to learn from processes like fraud detection and alert triage. No team is perfect and we all depend on someone else’s security program. Our data is everywhere. There is simply no way to partake in the modern business of being human without that. The interconnection of companies and humans is being used against us. We have made great strides in cooperation and sharing but more is needed. If one program fails, all of our programs fail. One attack against any of us should make all of us better. No data is in an island.

Let’s all get through this together.

The post No Data is an Island: One Infosec Pro's Experience As a Consumer Involved in a Data Breach appeared first on Carbon Black.