[BreachExchange] Chili’s and Macy’s Teach Very Different Lessons about Breach Response

[Destry Winant]

https://securityboulevard.com/2018/07/chilis-and-macys-teach-very-different-lessons-about-breach-response/

Each new day seems to bring a revelation of another data breach. They
happen with such frequency now that they have become commonplace and
the media and their readers seem to be losing interest.

However, two recent breaches warrant additional attention as a
learning opportunity for the remarkable contrast in how each was
handled by the companies that suffered them: Chili’s and Macy’s.

On May 11, Chili’s reported that it had experienced a breach. So what?
Just another breach. What was noteworthy about the Chili’s breach is
how fast it was discovered and how quickly the popular restaurant
chain’s payment partners and customers were notified.

Within hours of learning about the breach, Brinker International,
parent company of the Chili’s chain, issued a news release, website
notice and social media advisories informing consumers and other
interested parties of the incident. Brinker immediately shared what
was known, shared what it didn’t yet know about the scope of the
breach and underlying causes, and offered intelligent advice to
consumers whose payment information may have been compromised.

This simple and selfless action allowed Chili’s customers to
immediately begin checking their debit and credit card accounts for
unusual charges. This gave the hackers who stole the payment card data
far less time to exploit the stolen debit and credit cards than they
otherwise would have had. Brinker’s candor and quick action made the
breach less valuable to criminals.

“Upon learning of this incident, we immediately activated our response
plan,” the Brinker press release read. “We are working with
third-party forensic experts to conduct a thorough investigation to
determine the details of what happened. Law enforcement has been
notified of this incident and we will continue to fully cooperate.”

Brinker’s good-citizen response was in sharp contrast to so many
others that we see, where major brands announce data breaches many
months after they have discovered them. By delaying disclosure, they
risk exposing customers, financial institutions and card issuers to
additional loss. These costs are invariably passed on to customers in
the form of higher prices and fees.

While there are many things consumers admire about Macy’s, the
retailer’s recent hacking response protocol is not one of them. The
company waited a month to notify customers following an ongoing breach
of Macys.com and Bloomingdales.com customer accounts. The breach
permitted an unauthorized party to access customer names, addresses,
phone numbers, email addresses, birthdays and debit or credit card
numbers with expiration dates. A company spokesperson stated that the
retailer has since added additional security measures as a precaution,
which likely sent a few puzzled customers and partners to the
dictionary to double-check the definition of the word.

Consumers need to know whether the firms that they’ve entrusted with
their confidential information have implemented security measures that
follow best practices. Unfortunately, the ever-increasing number of
data breaches indicates that in many situations, this isn’t the case.
Most firms implement necessary security, such as multifactor
authentication, but additional regulation is needed to ensure that all
of them do.

Fortunately, recent advancements in anti-fraud technology such as
biometrics, behavior analysis and adaptive authenticationare making
the job of stopping hackers easier. These new technologies ease the
burden on users and provide strong protection against hacking threats.

In the meantime, Brinker’s approach with Chili’s serves as a model for
other consumer-facing brands entrusted with their customers’ payment
data.

The formula for success includes:

- Embracing the latest PCI standards completely;
- Adopting layered, in-depth security strategies with multifactor
authentication and risk analysis to validate trusted identities across
all channels;
- Ensuring cybersecurity plans and programs have a breach notification
component;
- Notifying consumers and other stakeholders immediately should a breach occur;
- Providing updated information on the investigation process and status;
- Treating customers and payments ecosystem partners as the invaluable
partners in commerce and security that they are.

Breaches will always be a part of life as long as there is electronic
data and the internet. Custodians of sensitive data need to make the
investment necessary to protect against breaches and they need to be
responsible enough to mitigate the losses for all parties when a
breach happens.