How NOT to Handle a Cybersecurity Incident!

Reading Time: 4 minutes

Most of the time, it is some untoward cybersecurity incident that teaches organizations the significance of cybersecurity. The investment of resources to strengthen information security is still not prioritized and is considered to be a secondary expenditure. Organizations impacted by such incidents have to go through extreme financial and reputational loss. These compromised organizations set an example for everyone to learn how “not” to handle a cybersecurity incident.

Equifax: Foremost Example of What Not To Do

It was in July 2017 that Equifax revealed that data of 143 million Americans were breached. Hackers intruded the company’s system in May 2017 through the Apache Struts vulnerability. For three consecutive months, Equifax failed to patch the vulnerability, although Apache had released a software update in March 2017. To make matters worse, this was the second breach in that year for Equifax. The attackers managed to change the four-digit password and gained access to their TALX payroll division for the period April 2016 to March 2017. The hackers redirected the official Equifax account taking the users to a phishing site. Another Equifax site offering free credit was also compromised by the attackers and the customers when failed to access it, had to submit paper requests with attached ID documents. [1]

Where They Went Wrong

Delayed Disclosure: Equifax claimed that it learned about the breach at the end of July 2017 and took around six weeks to disclose it. The company might have used the time to plan an incident response and to ensure customers with proper guidance. Instead, it announced the sudden retirement of its CEO. [2]

Uber: Paid Ransom to Hide the Breach

Uber was contacted in November 2016 by cyber attackers stating that they have compromised the personal information of 57 million drivers and passengers, of which 25 million are from United States. Uber realized the seriousness of the breach and paid the attackers $100,000 to not reveal the incident in public. In 2017, when the board of directors was investigating on litigation of an entirely different issue, the law firm discovered the ransom payment, and the breach thus went public. Uber then also had to incur 148 million as a settlement cost with all the stakeholders. [1]

Where They Went Wrong

No Backup Plan: Uber failed to handle the incident per the law and jurisdiction. Due to the lack of a backup plan, the company went without the support of law enforcement to pay the attackers.

Expensive Data Breach Covered: The ramifications of a cover-up can be worse than the real breach. Uber data breach is a learning for higher executives in any organization to reveal cybersecurity incidents as soon as they are identified.

Failed to Stand Its Social Responsibility: People trust big organizations mainly because they do their best to protect the data that they control and maintain transparency with their customers. Uber failed on both expectations. [3]

Allscripts: The Case of Missing Information

In January 2018, the security operations center (SOC) at electronic health record (EHR) and practice management software provider, Allscripts, detected abnormal activity. As soon as the team realized that it is a full-blown SamSam ransomware, the team approached Microsoft, Mandiant, and Cisco for help. Allscripts network went almost completely down, failing reliable access to services and negatively impacting 1500 clients for more that  a week. [4]

The real problem began when becoming fully functional; some of the clients were still facing numerous log-in errors. The users of Allscripts sent many emails to Healthcare IT News seeking clarification on the accessibility issues. Soon, Boynton Beach, a non-surgical orthopedic from Florida, filed a case on behalf of all affected clients claiming that it has resulted in significant business interruption and loss of revenue.

Where They Went Wrong

Lack of Transparency: After the containment phase, an organization must address the customers, industry peers, and regulatory bodies. However, Allscripts failed to establish communication about the problem at hand, which left their clients frustrated and perplexed.

Managing Cybersecurity Incidents—A Better Way

  1. Take a Multi-Layered Approach

Besides building systems with robust security, organizations should perform regular maintenance to ensure the security is updated. They should take extra measure in storing the data. The organizations shall also build policies and procedures and impart regular training to their staff at all levels. Lastly, an incident plan should be kept handy so that if a breach occurs, then it can be mitigated immediately.

  1. Focus on Aftermath Initiatives

Focusing on business continuity and mitigation is not a strategy for many companies which tend to concentrate on prevention techniques. After following so many major incidents, organizations are now learning that to avoid the embarrassment as incurred by the likes of Equifax; they must plan to react upon a data breach. This includes resilience planning  to ensure business continuity that should include  recovery activities and  effective communication to data privacy regulators and affected clients.

  1. Consider Data as an Asset

When data is not appropriately secured and where processing activities are not documented and traced correctly, the data can become a liability to the organization. Data should be treated as an asset and by implication, adequately secured.

Incident handling is equally important to incident prevention. Security prevention involves the contribution of  skills and various talents to form strategies until its practice throughout the organization. Incident handling involves similar professional skills and knowledge. EC-Council Certified Incident Handling (E|CIH) program is a required credential when you want to lead an incident handling team. It is a comprehensive specialist-level program that imparts knowledge and skills that organizations seek from an expert to handle the incident and containment process effectively. More details about the program can be availed from our website.


[1] https://www.healthcareitnews.com/news/how-not-handle-data-breach-brought-you-uber-equifax-and-many-others

[2] https://www.csoonline.com/article/3226480/making-a-bad-situation-worse-how-equifax-mishandled-the-breach.html

[3] https://www.govtech.com/blogs/lohrmann-on-cybersecurity/after-uber-data-breach-lessons-for-all-of-us.html

[4] https://www.csoonline.com/article/3261093/ransomware-healthcare-and-incident-response-lessons-from-the-allscripts-attack.html


get certified from ec-council
Write for Us