After the data breach: Introduction

Though a smaller data breach-affecting only 250 private records-than its predecessors at TJX and ChoicePoint, the musical instrument company Bananas.com (Bananas at Large) was the victim of a hacker, who, according to published reports stole an administrative password by accessing Bananas.com systems as a remote user.

What's interesting about this case is not the small number of records compromised, but the way that bananas.com reacted to the data breach.

Not only did they wait over month after the breach happened to contact the affected customers, but according to the Associated Press (AP), bananas.com admitted to the breach only after AP inquired about it.

Allegedly, someone went to an Internet chat room and tried to sell the names, addresses, phone numbers and credit card numbers of 31 bananas.com customers, and that is when the company discovered that they had a breach.

Once the breach was known, bananas.coms' 25-person staff raced to try and contact the customers affected through a blanket of standard mail and e-mail statements.

When it seemed too much to handle, the company referred customers to credit-reporting agencies, for any financial fallout from the data breach.

Because there was no data breach containment plan before the breach, and because the company is a web-based, mail order company, Bananas scrambled to keep up with each state's breach notification laws.

Subsequently, the company was hit with stiff fines from the major credit card companies. "They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them," said Bananas President J.D. Sharp, in an article for ComputerWorld magazine. "They'll fine the pants off you," he added. Bananas was caught off-guard, with no real data breach plan in place before the intrusion.

If this happens to your organization, there are immediate steps you can take to contain the damage from a data breach, while complying with state and federal data breach notification laws.

                    

Print this page

Send this page to a friend

Data Breaches Part I - Is it possible to prevent the inevitable? Introduction Step 1: A Good Defense is an Offense Step 2: Perform a company-wide risk assessment/inventory Step 3: Educate employees on breach/data security Step 4: Create a pre-breach containment and communication plan Step 5: Create a rapid response and internal audit/compliance team Epilogue: Spend now or pay later Data Breaches Part II Five Steps to manage a data breach Introduction New changes to PCI DSS Self Assessment Questionnaire Step 1: Spot/investigate the breach Step 2: Circle the wagons: Deploy the rapid response team Step 3: Create a Notification Plan Step 4: Implement the Notification/Communications Plan Step 5: Perform a response audit after the event Navigating state disclosure laws Outsourcing data breach response to a third-party Recommended reading PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: