Don’t Ring the (False) Alarm: When a Data Loss Event Isn’t a Breach

Posted by Mark Greisiger

A Q&A with Darin Bielby and Jeremy Batterman of Navigant Consulting’s Information Security & Investigations Practice
During a recent Risk and Insurance Management Society (RIMS) panel discussion, Navigant Managing Director Darin Bielby asserted that 50 percent of the organization’s information security forensic investigations yield evidence that enables legal counsel to counsel companies that a data breach did not occur. These findings typically demand no further action or notification about the event, though some organizations proceed with additional precautionary measures. I talked with Bielby and his colleague Jeremy Batterman about the reality of data privacy events and what forensic investigators are seeing.

If the data doesn’t leave the machine, then technically it’s not a breach.

The fifty percent statistic is surprising. Can you explain why this might be happening?
DB: Yes, this percentage is much higher than what we found last year but it doesn’t mean that breaches aren’t happening. Historically we could affirmatively rule out a breach a third of the time and another third of the time, it’s more of a gray area where we can see that sensitive data was exposed but cannot prove or disprove that the data was exfiltrated due to lack of evidence like log files. From my perspective the percentage shift has been driven by ransomware, which is designed to encrypt computer data—not necessarily to steal it. We’re seeing a higher frequency of ransomware attacks being investigated by forensics firms like Navigant, due in part to more companies with cyber insurance and an increasing probability that additional malware was also inserted at the same time as the ransomware attack prompting companies to do an investigation in addition to reinstalling the infected machine from backup. If the data doesn’t leave the machine, then technically it’s not a breach.

JB: Another situation that has been on the rise is a generalized type of malware that is sent by an attacker that doesn’t understand the type of system or particular data housed in it. They might be targeting someone else entirely, or it might be setting the company’s system up to become a botnet. We won’t see the attacker’s “hands on the keyboard” in this situation and again, no data is lost.

How are these determinations made?
JB: We look at the logs and any other type of monitoring system the organization has and then we look for any sensitive data, where and how the attack commenced, the level of the intrusion, what type of systems were exploited, and if there’s any malware. The behavior of the malware can tell us how it communicates with the attacker. Then we can go further and see the artifacts on the system that will tell us what access was given and how much movement was made on the system. All of this shows the attacker’s level of skill and whether, for example, it’s a nation state attack or a kid-in-the-basement type of scenario and what the motivations behind the attack might be.

What happens when you determine that the event doesn’t look like a breach?
DB: We present our findings to legal counsel and the client company who then make the determination as to whether the data incident was a breach and whether notification is required by the state or regulatory agencies. Often Navigant is also retained to do the data mining of the company’s systems to provide the company, through their counsel, with a list of whose data was impacted in a usable format that can be used for notification, credit monitoring, etc. Navigant provides that service if we do the initial investigation but we are also often retained after another forensics firm has done an investigation as most of our competitors do not have this skillset.

Do you still see companies getting talked into voluntary notification by a vendor or counsel even when laws or regulations haven’t been triggered?
DB: Typically, we are just coming up with the evidence of the risk of harm, and the company has to make the call from there. As I mentioned, sometimes they do need us to help them assist with data mining for notification, and that can happen when the risk of harm is minimal, but legal counsel is rightfully driving the notification decision based on their understanding of the constantly shifting legal and regulatory environment. A greater issue can be companies rushing to notify before engaging legal counsel and forensics firms like Navigant. This often leads to notification when a breach ultimately did not occur, notifying the wrong people, or having to do a second notification to other impacted individuals. This increases exposure to the company in the form of brand damage, additional costs, an privacy class action litigation.

JB: Another situation that can be ambiguous is if the actual event occurred some time ago and the organization no longer has the evidence in the form of log files and other data that Navigant needs to support their case one way or another. In this situation, we have seen organizations decide to play it safe and request a notification list even if there was no concrete evidence that a data breach occurred.

What’s a real life scenario when the findings have suggested that no need for notification was necessary?
DB: We had a health system that noticed a cabinet was missing and, upon investigation, realized that cabinet had housed years of backup tapes containing past client billing information. The system that was used was an AS400, which enabled Navigant to persuasively argue to the company, their counsel, and ultimately the State Attorney General, that the data would be prohibitively expensive  for someone to access and that, as a result, notification was not necessary.

What are some challenges for external investigators assisting clients in a forensic investigation?
JB: For me, the biggest challenge is having the right data from the customer. We tell our clients that as storage costs have continued to shrink, it can be very inexpensive to set up proper logging. This information is invaluable evidence for a forensic investigation down the line. If there’s no logging there is much less visibility into what’s going on and it makes it hard to disprove that a data breach occurred.

DB: From our perspective, one year’s worth of logs is the recommendation for clients. It sounds obvious, but clients need to test their access to the log files when using third parties and also turn off the functionality which records over previous logs when a data privacy incident is first suspected. Sometimes companies think they have logging correctly set up but they haven’t tested it so when the time comes to look at the data it turns out to be garbage. That puts the company in a bad position if they want to disprove that a breach is happening. Everyone watches crime dramas: The scene of the crime is usually cordoned off before the detective gets there. The same should be true of a suspected breach scenario. You want your IT folks to disconnect from the internet but not turn the machine off or you risk losing important artifacts.

What else should companies do in preparation for a potential future event?
JB: Take a picture of the back of your machines or record the model and serial number information in a safe place so that the forensics team can be sure to bring the right equipment to get a forensic image of the machine. Make sure you have procedures and policies in place that will allow an investigator to walk in and do their job. Sometimes we find internal politics or turf wars can get in the way of an investigation. Usually, this is due to a lack of knowledge but educating employees on how to handle these situations can help an investigation go much more smoothly.

In Summary…
We want to thank Darin and Jeremy for their frontline insights into an issue that impacts many organizations. A skilled computer forensic investigator who is accustomed to working in partnership with the organization’s Breach Coach® (or insurance carrier counsel) can best determine if in fact a data breach actually—and legally—occurred. This process is crucial to ensuring the optimal approach to handling the event. Anecdotally, we see that in many cases the organization doesn’t need to take any additional action once it has conducted that good faith investigation.