5 Lessons From the Latest Data Breaches

Son of a breach, two more security incidents are making headlines: Coca-Cola and Michaels Stores.

That means we’re looking at four major data loss events in the past few weeks alone—three at national retailers, including Target and Neiman Marcus.

Companies can learn from how other organizations respond to a data breach, for better or worse. Here are key takeaways for businesses that want to protect themselves from similar disasters.

1.Get the Word Out, Pronto

Communicate the problem quickly and clearly. Don’t follow Target’s footsteps. Hackers stole confidential data of up to 110 million customers who shopped at stores from Nov. 27 to Dec. 15, 2013. But instead of proactively announcing the breach, Target got scooped by respected security blogger Brian Krebs, who broke the story on Dec. 18. On the same day, Target CEO Gregg Steinhafel issued the statement that “we are pleased with Target’s holiday performance.” The company confirmed the breach only after the U.S. Secret Service and American Express released their own investigations.

Michaels, on the other hand, is taking the opposite tack. Though an investigation is still underway, the arts-and-crafts retailer confirmed it was investigating a potential breach immediately after Krebs broke the news. Michaels said it wanted to notify customers “in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers.” The company may avoid PR waves by slipping this news in quickly while the Target and Neiman Marcus breaches are still being digested. “Michaels could be taking a page from the Heartland playbook,” said Eduard Goodman, chief privacy officer at IDentity Theft 911, referring to the payment systems company’s breach announcement on the day of President Obama’s 2009 inauguration.

2. Send Clear Messages

Consider communications to potential victims with great care. Target made yet another egregious error by notifying customers of the breach via poorly considered, suspicious-looking email communications. The email included a suspicious sender address: TargetNews@target.bfi0.com instead of @target.com. Plus, it directed users to click on a link for additional details on the monitoring. The bizarre “bfi0” in the subdomain suggested nothing official to differentiate it from phishing and malware-laden emails sent by scammers following such corporate data breaches; scammers often make subtle tweaks. Many people who received the email didn’t actually shop at Target during the compromised dates, which made the email appear even more like a scam. Because the notice was delivered via email and probably due to the fact that it originated from a suspicious email address the original message ended up in many junk mailboxes.

3. Have an Information Security Policy—and Use It

In Coca-Cola’s case, proper security controls clearly weren’t in place. A former employee responsible for maintaining and disposing of computer equipment kept the old computers that contained the personal information of more than 70,000 employees, as well as corporate data. A solid information security policy would cover the handling, sanitation and disposal of sensitive data. Implementation of proper policies and controls with IT governance oversight can minimize the risk of data leakage caused by the disposal of old computer hardware.

4. Invest in Network Defenses

Hackers are working to exploit weaknesses in retailers’ point-of-service systems and networks. For example, they’re targeting weak administrative passwords used to manage POS systems remotely and finding clever ways to install malware. Retailers would do well to strengthen those POS systems and networks by 1) using strong passwords or two-factor authentication for POS administrative access and accounts, 2) updating POS software applications using the latest security patches, 3) restricting outside access to POS systems from the Internet, and 4) if it isn’t required, disallowing remote access.

5. Carefully Consider Free Credit Monitoring

When a breach involves payment card information and no Social Security numbers, companies like Target often make the mistake of offering free credit monitoring. They’re trying to reassure consumers but instead may give them a false sense of security. Credit monitoring looks at changes to a credit file that have been reported to Experian, Equifax or TransUnion. Credit monitoring does not monitor existing credit accounts. So, if a Target customer enrolls in the credit monitoring solution provided by Target, that customer would not be alerted if an existing account—in this case credit cards and payment cards—was used fraudulently. The only way for Target customers to find out if an existing credit or payment card is misused is by monitoring their payment card accounts for suspicious activity.

Finally, data breach victims should take steps to monitor their identity and credit, and check with their providers. An insurance company, credit union or employer is probably already offering this benefit free or at a very low cost. Check with them to activate the service.

If you want a free way to monitor your credit, the Credit Report Card will update two of your credit scores for free every month.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.