National Childbirth Trust data breach: Industry reaction

Yesterday, news broke that The National Childbirth Trust has apologised to 15,000 new and expectant parents after their registration details were accessed in a "data breach" where email addresses, usernames and passwords were "compromised."

Various industry professionals have offered their analysis and insight into yet another example of the security landscape threatening organisations all over the world.

Simon Crosby, CTO and co-founder, Bromium:

“This incident at The National Childbirth Trust will be a wake-up call for people. But it’s not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions. Businesses have no excuse that they were not aware nor prepared for such attacks. They’ll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident, and fatal disaster.

"When we hear about attacks that have persisted on a compromised system for weeks or even months before detection, it is unlikely that hackers were waiting to take advantage of the breach, but far more likely that existing detection-based systems failed to properly respond to the attack. Organisations invest in a broad array of security solutions with the promise of actionable security insight, but the reality is that they are swimming in a sea of false alerts. Understanding hacker behaviour is as difficult as looking for a specific needle in a haystack that is 50 feet tall and made of other needles. When a hacker breaches a system, they will squeeze it for anything of value, including compromising endpoints for botnets, servers for bandwidth and of course the imminent threat of lost intellectual property or financial information.

"For end users and security teams this manifests as a noticeable decrease in system performance and unusual network connections, among other factors. If organisations are serious about keeping hackers out of their systems, they need to embrace proactive protection as the foundation of their security architecture. For example, hardening and isolating systems prevents data breaches, eliminating the need for costly detection and response."

Richard Beck, Head of Cyber Security at QA:

"This latest attack against the NCT highlights that today’s IT criminals bear no consideration for the victims who ultimately bear the brunt of their illegal cyber handywork – be that through financial loss, reputational damage or mental distress. The sad truth is that the onslaught of cyber attacks is pretty much unstoppable. That said, organisations can defend themselves by training their staff and ensuring they have robust plans in place to minimise the chances of a cyber attack including an agreed – and rehearsed – plan of action.”

Paul Kenyon, co-CEO at Avecto:

“The National Childbirth Trust (NCT) has suffered a relatively substantial data breach which will harm the company’s reputation and could put its users at risk. However, their response to the issue should be applauded as we’ve seen others like Talk Talk struggle with communication and remediation in the aftermath.

“Organisations are often chastised for their response to data breaches, so it’s only fair that we also recognise good practice and learn from it. NCT alerted its users on the day of discovery – sensibly recommending that they change their passwords – and quickly reported the matter to both the police and Information Commissioner. It also stored passwords in an encrypted format which gives an extra layer of protection.

“It's of some comfort that companies are now getting their breach notifications out faster with clear explanations of what data was accessed. This will be legally required in future when the new EU data protection regulations are enforced. All this aside – fundamental concerns over data security in businesses across the globe remain.”

Eduard Meelhuysen, VP EMEA at Netskope:

“While many affected organisations wait to inform customers of a breach, NCT contacted users on the day of discovery to notify them of the issue and offer advice – a positive step. Although the final text of the European Union General Data Protection Regulation (GDPR) – is yet to be brought into law, mandatory data breach reporting is firmly on the agenda.

“Under the GDPR, companies will be required to notify national data protection authorities of a serious data breach within 72 hours. In certain cases, businesses will also be required to notify affected individuals so they can take necessary precautions and remain vigilant to cyber criminals making use of their compromised data. While many businesses may initially struggle to comply with such strict measures, NCT clearly demonstrated best practice by quickly identifying not just the breach itself but also the data most likely to have been affected.

"As more data is stored off-premises, organisations must take steps to secure data wherever it may be – especially in cloud apps – remaining vigilant to unusual user behaviour and ensuring the correct security controls are in place.”

Christine Andrews, managing director, DQM GRC:

"All organisations, particularly those which handle sensitive and private personal details, have a legal and ethical duty to protect their customers’ data. However, small businesses and charities may feel that they don’t have access to the necessary resources, or that they lack the technical expertise and often don’t consider themselves as worthwhile targets for hackers - and the consequences are that many don’t have a sound approach tackling data security.

"Whilst securing data may sound like a complex process, in the vast majority of incidents the root cause can often be traced to simple management issues, or human errors, as opposed to complex technical failures. While most would recognise that good password management is important, one of the most common and overlooked causes of a successful hack attack on websites is poor patch management - simply ensuring that all software is regularly updated with patches eliminates many of the vulnerabilities that hackers use to gain access to systems.

"Good patch management should be tested by a system penetration test (pentest) every six months to identify any residual weaknesses. However, companies should not wait for these tests to occur before they start thinking of security – it is vital to regularly update systems with patches as quickly as they are released.

"Ultimately, all organisations (in particular those that handle sensitive data) need to properly assess the risks and consequences of a data breach, and consider what would happen if that data was made public. This should encourage them to implement the necessary resources and adequately strengthen data security."

Image source: Shutterstock/wk1003mike