This document summarizes lessons learned from data breaches that occurred in 2012 and provides recommendations for improving security practices in 2013. It discusses several major breaches in 2012 that affected a payment processor, online retailer, hotel chain, university, and state agency. Common lessons identified include the importance of being prepared before a breach occurs, encrypting sensitive data, conducting security audits and testing, and maintaining compliance. The document recommends actions organizations can take before and after a breach to improve security and incident response, such as auditing encryption policies, training response teams, and establishing credit monitoring for affected individuals.

1. 2012 Breach Lessons Learned -
2013 Do Differents

2. Agenda
• Introduction
• 2012 Breach Lessons Learned
• 2013 Do Differents
• Q&A
Page 2

3. Introductions: Today’s Speaker
• Ted Julian - Chief Marketing Officer
• Security / Compliance entrepreneur
• Security industry analyst
Page 3

4. Co3 Automates Breach Management
PREPARE ASSESS
Improve Organizational Quantify Potential Impact,
Readiness Support Privacy Impact
• Assign response team Assessments
• Describe environment • Track events
• Simulate events and incidents • Scope regulatory requirements
• Focus on organizational gaps • See $ exposure
• Send notice to team
• Generate Impact Assessments
REPORT MANAGE
Document Results and Easily Generate Detailed
Track Performance Incident Response Plans
• Document incident results • Escalate to complete IR plan
• Track historical performance • Oversee the complete plan
• Demonstrate organizational • Assign tasks: who/what/when
preparedness • Notify regulators and clients
• Generate audit/compliance reports • Monitor progress to completion
Page 4

5. 2012 – The Year of the Data Breach
Page 5

6. 2012 Notable Breaches
• Payment Processor
• Online Footwear Retailer
• Hotel Chain
• State University
• State Agency
• Social Media Site
Page 6

7. Payment Processor
Incident Description Hackers broke into a handful of servers
and gained access to 1.5 million credit
card numbers
Incident Response • Alerted major card networks
• Immediately notified law enforcement
• Issued new cards
Results • VISA removed company from registry
of compliant service providers – asked
that they revalidate their compliance
process for PCI
• Company spent $94 million last year,
expects to spend another $25-35
million this year
Lessons Learned • Stronger fraud detection systems need
to be implemented (their system
discovered the breach 3 weeks later)
Page 7

8. Online Footwear Retailer
Incident Description Hackers gained access to parts of their
internal network, potentially affecting 24 million
customers
Incident Response • Took assertive steps by requesting that
customers change their PWs
• Temporarily shut down their 1-800 in an
effort to redeploy customer service reps to
respond to customer emails
Results • Class-action lawsuit filed one day later
• Mixed reviews from industry analysts:
• “Panic mode” by terminating customer
PW access
• Shutting down phone access shows
they were unprepared
Lessons Learned • The importance of being prepared before a
breach occurs so the response process can
be less stressful, more efficient
Page 8

9. Hotel Chain
Incident Description Hackers gained access to systems, 3 times in
less than 3 years
Incident Response • Failed to take action after the company
found out about the 1st breach
Results • FTC sued the company for storing data in
plain text & other security failures
• Suit alleges that the company’s privacy
policy misrepresented the security
measures the company and its
subsidiaries took to protect customer
personal information
Lessons Learned • Take action right away to respond to
breaches
• Take steps to prevent future breaches
Page 9

10. State University
Incident Description Bank accounts and SSNs of 350,000 students,
faculty and staff were exposed – some over a
15 year period
Incident Response • Issued a press release detailing which info
was compromised
• Involved state & regulatory law enforcement
agencies to assist in investigation
• Offered free credit monitoring services for 1
year
Results • Just one of many college/university hacks in
2012 - rich target last year
• Had another breach of 3,500 in May 2012,
took 7 months to notify
Lessons Learned • The importance of running routine
tests/audits of security systems to check
configurations
Page 10

11. State Agency
Incident Description Phishing Attack - employee opened an email
with an attachment which allowed hackers to
access tax info of over 4 million individuals and
700,000 businesses.
Incident Response • State Gov. offered free credit monitoring
service for 1 year
• Contemplating lifetime credit monitoring
Results • Data protection was found to be at fault,
senior management lax since no system
monitoring was in place
• CIO of the agency resigned 2 weeks before
the breach was made public
Lessons Learned • The importance of data protection
• Senior management oversight is crucial to
success
Page 11

12. Social Media Site
Incident Description Massive breach – 6.5 million user
accounts compromised. Hackers stole
and leaked usernames & PWs to a
Russian website
Incident Response • Confirmed on the site’s blog that
some accounts were compromised
• Advised all members to change PWs
Results • Announced an investigation to
determine the cause
• Sent an email to members with
instructions on how to change PWs
Lessons Learned • The importance of additional security
layers, such as salting passwords
Page 12

13. POLL

14. 2012 Lessons Learned
• Breach Preparedness – Don’t wait until you’ve been
breached!
• Encryption / obfuscation wherever possible
• Routine security testing of systems with PI
• Maintain compliance with industry regulations
• Audits / firedrills
Page 14

15. POLL

16. 2013 Do Differents
BEFOREHAND:
• Audit encryption policy
• Refresh and train incident response team
• Run firedrills!
• Verify monitoring of PI
• Conduct routine security audits
POST-BREACH:
• Run a tight incident response process
• Get call center up quickly, highly trained
• Establish credit monitoring
• Conduct a thorough post-mortem
Page 16

17. QUESTIONS

18. “Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
One Alewife Center, Suite 450
“Co3…defines what software packages
Cambridge, MA 02140 for privacy look like.”
PHONE 617.206.3900
GARTNER
WWW.CO3SYS.COM
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE