Data breaches in information security have become an inescapable reality. A common inquiry we receive here at HackerOne is for guidance on how to most effectively respond to one of these unfortunate incidents. There are no easy answers. Our hope is the following guidance can serve as recommendations for any victim of a breach.
Before we dive in, I'd like to offer a brief note on confidentiality. HackerOne treats the confidentiality of our customers with the utmost respect. Our policy is to not comment or speculate on any breaches or vulnerabilities impacting the programs we have the privilege of hosting.
In addition, for the majority of the programs hosted by HackerOne, our relationship as a platform provider does not grant us privileged access to information on their breaches, vulnerabilities, or context surrounding individual bounty payments.
Your first priority following the discovery of unauthorized access to data ("a breach") should be incident response. That means preparing for a breach before it happens. A proper incident response plan will focus primarily on mitigations that stop the bleeding and remove the unauthorized access to further data.
An effective process should be designed to leave us with clear answers to the following questions:
- What data was breached and who did it belong to? (specifically what data types?)
- How was the data breached?
- When was this data breached? (a full timeline of events)
- Who breached it? (criminal, rogue employee, accidental disclosure)
There is often a large amount of uncertainty that remains even after significant evidence gathering has occurred. It is not uncommon for "we don't know" to be the answer that remains to at least some of these questions. Once armed with your best answers to these questions we can prepare your response.
In many significant breaches, notification to individuals whose data was affected, such as customers or employees, may be legally required. Whether notice is obligatory requires familiarity with a dizzying array of state, federal and other countries’ data protection laws. There are lawyers who specialize in these laws, and you should consult one if you find yourself in this situation.
Even in the absence of a legal requirement, public disclosure may be in the best interest of both the breached company and the persons whose information was impacted. Should you provide notice? You should strive to have the applicable laws mapped to any data you are in possession of ahead of an actual breach.