Although a security patch was made available almost immediately once it was discovered, some administrators were slow to react, leaving servers exposed for longer than necessary
Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.
Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.
Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted.
Take care to ensure that steps taken to contain the breach don't inadvertently compromise the integrity of any investigation.
Step 3: Assess the extent and severity of the breach
The results will dictate the subsequent steps of your response. A thorough assessment involves:
Identifying who and what has been affected. If it's not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.
Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe. If the data has been encrypted or anonymised, there is a lower risk of harm.
Considering the context of the breach. If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organisations could be much more significant. This should inform how you respond to the breach.
Step 4: Notification
For serious data security breaches, proactive notification is generally the right strategy. A mandatory notification scheme has been proposed in Australia, with the government promising implementation by the end of 2015.
In any case, there are good reasons to consider voluntary notifications, which include:
Victims may be able to protect themselves, for example by changing passwords, cancelling credit cards and monitoring bank statements.
E-Bay was roundly criticised in 2014 for not acting quickly enough to notify users affected by a hacking attack, and only doing so by means of a website notice rather than by sending individual messages. Notices should be practical, suggesting steps that recipients can take to protect themselves.
The Privacy Commissioner may also be involved, particularly if personal; information has been stolen. The Commissioner may take a more lenient approach to organisations that proactively address problems when they arise.
Other third parties may also need to be notified. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.
Sign up for CIO Asia eNewsletters.