JD Wetherspoon breach: three data management mistakes that could have been avoided

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/jd-wetherspoon-breach-three-data-management-mistakes-that-could-have-been-avoided/article/460792/

Mistake No 1: JD Wetherspoon didn't build in a plan for the removal of
information when its old website was no longer needed.

As an article in WIRED explains, data is a renewable resource (similar to
crude oil) and it's vital to maximise its value. But doing that isn't
always an easy or quick process. “To truly maximise the value of data,
organisations must rethink how they create, edit and store it,” says Arvind
Singh in the article. “They must analyse the architecture and standards,
quality, governance and management processes at every phase.” In the case
of JD Wetherspoon, it should have created a plan for the entire data
lifecycle – from creation to storage to finally, secure and permanent
removal when the old website was no longer needed.

Mistake No 2: JD Wetherspoon failed to manage supplier risk.

By definition, supplier risk management is the process of predicting and
preparing for the probability of variables, which may adversely or
favourably affect the supply chain. While I don't have the inside story on
what truly happened, it's safe to say that the company's IT, technology and
legal teams were all involved in vetting and signing off on the contractual
agreement to hire the outside vendor.

But unfortunately, supplier risk management isn't a one-time event and
needs to be done repeatedly after the contract was signed. IT management
teams should ask for regular (weekly, monthly, quarterly, annual) reports
from vendors specifying their internal data security processes, data
removal methods, tools and technology implemented and documentation. They
should also conduct onsite visits (unscheduled) to review a vendor's
protocols in real-time.

Mistake No 3: A crisis response plan wasn't created in advance.

Having a crisis response plan is critical for any business. But it
shouldn't just be limited to customer complaints, product-related problems
and staff behaviour. It needs to be a living and breathing document that's
regularly updated based on frequent audits of your organisation's IT
infrastructure as well as all of your third party vendors' processes,
systems and tools. From there, it needs to then provide expected lead times
for discovery and reporting of breaches, communication guidelines (to
customers, media, stakeholders), hiring of outside risk consultants to
assess the level of damage incurred and more.

Given that JD Wetherspoon blamed the delay in discovering the data breach
on the fact that the data was held by a third-party company that hosted the
company's old website (which has since been replaced and managed by a new
partner), it's highly unlikely the company had any form of data breach
crisis response plan in place. When companies fail to take this step –
which isn't all that difficult – they don't just destroy their reputations
in the marketplace and incur legal and regulatory repercussions; they
contribute to their eventual decline in sales and stock prices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!