This week it was Anthem Blue Cross’s time.
The health insurance giant disclosed a massive hack, which compromised records for as many as 80 million people. This included identity information, provider information and financial information, as well as sensitive information like SSN’s. To their credit, they found the breach themselves and reported is quickly and to everyone involved.
Like the Kübler-Ross five stages of grief, the CISO at any company goes through various stages when they learn of a potential breach.
Denial — The phone rings. Well, actually, you get an email from the SOC. “Oh, by the way… we may have a problem…” First reaction. It can’t be happening to me. It isn’t true. It’s just a configuration issue. They didn’t actually get past the firewall. And they couldn’t have exfiltrated 80 million records without us catching them. Besides, we have all the latest and greatest technology, an awesome training and awareness program, a fully stocked SOC and NOC, and up to date anti malware and patching program. It must be wrong.
Anger — OK. So who was the moron who clicked on the link that introduced that code that stole that password that allowed access to that network that had those files that contained that personal information? Just wait till I get my hands on him. Oh, it was the CEO? Um. Never mind. Anger is usually followed quickly by the need to assign blame to someone. Well, to someone else. Users. Vendors. Suppliers. Cloud providers. Managed service providers. Outsourcers. In the law, we call these people “co-defendants.”
Bargaining — Want to bet? Bargaining also happens when a CryptoLocker attacker demands $1 million in Bitcoin to unlock the network from a crypto virus. Hmmm… for 50 thousand could ya just unlock MY files? Bargaining is also when you start to rationalize the attack itself. None of the personal data has shown up on the hacker boards. No evidence that anyone is actually USING the records. The attack was so highly sophisticated that nobody could have prevented it. I have been TELLING management that I needed more resources. Maybe I can use this as a bargaining chip to get what I really need.
Depression — Actually, the cost of this breach will deplete any resources I might have been able to get. All the money for security is going to go to credit monitoring, breach investigation, and ultimately lawyers. (You say that like paying lawyers is a BAD thing.) This is bad. Really bad. Usually, in the immediate wake of a breach you and your staff are far too busy responding to get to this stage. This is reserved for when you finally get home at 3AM and have a few shots of bourbon to get a few hours of sleep before your 7AM status meeting about the breach. And you went to Engineering school why, again?
Acceptance. Actually, this happens to everyone. Just in different ways. If I wait a week, some other hack will take this off the front page, and get the shareholders off my back. And the CEO. And the Board of Directors. Yeah. This is a good thing. I mean, SONY announced that the cost of THE MOST MASSIVE HACK IN THE HISTORY OF MANKIND, OH MY GOD, THE SKY IS FALLING was $15 million, and was not material enough to include in their SEC filings. I’ll get through this stronger than ever.
Until the regulators come. Then it’s back to square one.