From a ransomware attack on Colonial Pipeline, one of the largest oil and gas providers in the U.S., to a large attack on U.S. organizations including Microsoft and the Pentagon, cyberattacks have dominated headlines over the last year. Less high-profile attacks are on the rise, too, with 1,291 data breaches so far in 2021 affecting companies including Twitch and a network of dental practices.
Cyber incidents can threaten critical infrastructure and cost companies millions — an IBM survey of more than 500 companies found the average data breach incident cost a company $4.2 million. They also compromise user privacy and valuable personal data and information.
“Hacks happen,” he said at the EmTech MIT conference, hosted by MIT Technology Review. “The organizations that handle them with aplomb keep their integrity. They keep their focus on first principles and they do things as they were rehearsed.”
Prevention is important, Selby said, but creating a plan for action after an attack is also critical — from what to do immediately after unusual activity is detected to how to communicate with the media.
Selby gave an inside look at a 2018 data breach at Timehop — an app that aggregates social media content and photographs to show users what happened on the current day in past years. Selby was a cyber incident responder for TimeHop during the breach and said the incident was a good case study in how an attack can unfold, how companies should prepare, and the importance of responding with transparency and integrity.
The Timehop hack timeline
Hackers gained access to Timehop’s network in December 2017, Selby said, but didn’t access anything notable until July 4, 2018. A Timehop engineer at an Independence Day barbecue received an alert that a password had been changed on the main user database. The engineer changed it back and notified management — something similar had happened before.
The next day, the engineer investigated further and discovered the user database had been compromised. The CEO and COO were notified, and Selby and other responders were brought on board.
The source of the hack was an administrative password that had been compromised, Selby said. Timehop had been rolling out two-factor authentication, which adds an extra level of security beyond a password, but it hadn’t been a major priority, he said. The hacked account was the only one without two-factor protection.
Timehop’s COO made it clear that the company’s first priority was protecting the data of its 21 million users, Selby said. Personally identifiable information involved in the hack included names, some e-mail addresses, dates of birth, and some phone numbers. Keys that let Timehop access social media posts were also compromised, and the company did not report the breach publicly until the keys had been deauthorized — announcing this information prematurely could tip hackers off to the extent of the breach and encourage them to move more quickly.
In the end, the company reported that it saw no evidence that breached data was compromised, and the company conducted audits, instituted several important security measures, and launched a security operations center. Timehop’s cyber security is now a selling point for advertisers, Selby said, and revenue, users, and engagement are all up.
This case offers several important lessons, Selby said.
Have a plan of action in case of a cyberattack
Timehop managed to adequately address the data breach, Selby said, but little had been pre-planned. “Serendipity isn’t a strategy,” he said.
First, companies should have an incident response firm on retainer, he said. No-cost retainers are available, he said, and the firm should be familiar with your digital environment so you don’t have to explain how email is sent and where things are stored in the cloud in the midst of an attack.
Companies should consider paying for a support plan from their cloud service provider — these providers are often well-versed in handling data breaches and attacks, Selby said. A lot of companies won't invest in support until their “hair is on fire,” he said. “That's kind of a bad time to find out that they're not really going to talk to you quickly.”
Have a checklist of things employees should do if they notice something is off. If people aren’t trained to do certain things, they won’t do them, he added, so there should be appropriate training across the board.
Know who to call and what laws are applicable. Companies should know who to contact in law enforcement. Proposed legislation would even require critical organizations to report cyber incidents to the Department of Homeland Security within 24 hours. For others, reporting an attack can be confusing. Timehop reached an FBI automated phone line, Selby said, and had trouble figuring out how to report the crime and getting a human on the phone.
The hack occurred shortly after Europe’s General Data Protection Regulation went into effect, and Timehop, which has users worldwide, had to make sure it was complying with all of those laws.
Test your backups. System and data backups are vital as part of recovering from a breach, and Selby recommended testing them on a quarterly basis. Companies should also make sure backups are fully disconnected from the regular system — otherwise, ransomware could infect them, too.
Have a security communication plan. Companies should have practice exercises about how they’ll communicate after an incident. “You don't want to just throw this together at the last minute,” he said.
In addition to proper planning, Selby said companies should remember four things as they are in the midst of a cyberattack:
Operate with transparency
Timehop’s goal was to be as transparent as possible, Selby said. They wanted to talk to the press and share information as quickly as they could.
After Timehop issued its initial information about what had been compromised, they discovered that other information, such as gender, had been included in the breach. This required the company to issue a second disclosure, which they had hoped to avoid, Selby said. At this point, the company decided to bring in the media, inviting reporters from NBC News and TechCrunch into the “war room” to see the response first hand and to show that the company wasn’t hiding anything.
“People really responded to a company being honest and having integrity,” he said. “It's not that you get breached — everybody gets breached — it's how you handle it when you do get breached this is so important.”
Remember to focus on the customer
Timehop does not take credit card information from customers, which eliminated financial concerns for users. But other information, such as cell phone numbers, could lead to further data breaches for users.
But most of all, Selby said, the company was concerned that information valuable to customers would be available online.
“They understood that it's not just about what the value of the data that you have, it's about the value of the data to the customers,” he said. “We are all stewards of the data we keep for our customers.”
Find weaknesses and fix them
The company audited accounts, credentials, and permissions, Selby said, and made sure employees were using encrypted devices and were running the latest versions of software. Selby suggested bringing in endpoint security monitoring to see if there are any undetected infections.
Use two-factor authentication.
One key takeaway: Timehop made sure two-factor authentication was in place across the board. This is table stakes for modern companies, Selby said, and he advised against SMS-based authentication. “You want an app, you want some kind of authentication application running on your phone or something like a hardware token,” he said.