Skip to content

OPLIN 4Cast #286: Responding to a breach

Posted in 4cast

Last week’s revelation that millions of LinkedIn passwords had been stolen was just the latest in a long line of data breach stories. While public libraries don’t store millions of passwords or credit card numbers, they do store a lot of patron data, and things as mundane as people’s street addresses are beginning to be considered sensitive information by some security experts. With luck, your library ILS vendor has not made the same mistake that LinkedIn made and stored sensitive user information with relatively weak encryption. But if the worst should happen and your library system gets hacked, what’s the best way to respond? Are there lessons to be learned from the misfortune of previous data breach victims?

  • Dissecting LinkedIn’s response to the password breach (PC Magazine/Fahmida Y. Rashid)  “‘We are contacting all members we believe could potentially be affected, starting with those who we believe are at the greatest risk. We have already initiated the outreach,’ a LinkedIn spokesperson said in an email. She was unable to provide any other details. I was very concerned about LinkedIn’s focus on members at ‘greatest risk.’ How do they define this?”
  • Zappos data breach response a good idea or just panic mode? (Network World/Ellen Messmer)  “…online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.”
  • Heartland CEO on breach response (BankInfo Security/Tracy Kitten)  “…[Bob Carr, CEO of Heartland Payment Systems] says information sharing is key, especially among other payments processors. ‘Don’t minimize the impact,’ Carr says. ‘Share information. … The bad guys might be in somebody else’s system, so it is good for everyone to communicate.’ Although a great deal has changed since 2009, when Heartland’s breach was exposed, Carr says open communications, especially for publicly-traded companies, will pay dividends in the long run.”
  • Data breach response plans: Yours ready? (Information Week/Mathew J. Schwartz)  “Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. ‘I’ve seen organizations that totally jumped the gun–We’ve got to do it– and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,’ Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. ‘We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.’”

Breach facts:
The three breaches mentioned above affected: 6.5 million LinkedIn users; 24 million Zappos customers; and 130 million Heartland credit card accounts.
[And one more fact: OPLIN’s plan for Security Incident Response is included in our overall Information Technology Security Management plan.]