KEMBAR78
Boss I Think Someone Stole Our Customer Data | PDF | Payment Card Industry Data Security Standard | Computing
Scribd
Upload
967 views16 pages

Boss I Think Someone Stole Our Customer Data

This document summarizes a case study involving a potential data breach at Flayton Electronics. Key details include: - The CEO, Brett, was notified that customer data may have been stolen. - Flayton's security practices were not fully PCI compliant, with scanning not done daily. - An investigation found that a firewall had been disabled, exposing internal and customer data. Over 1,500 customer accounts were compromised. - Options for notifying customers and authorities included a press conference, customer letters, or waiting for law enforcement. There was disagreement over the disclosure approach. - Brett must decide how to respond to restore the brand and address security weaknesses, with suggestions provided by cybersecurity experts

Uploaded by

Tushar Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
967 views16 pages

Boss I Think Someone Stole Our Customer Data

This document summarizes a case study involving a potential data breach at Flayton Electronics. Key details include: - The CEO, Brett, was notified that customer data may have been stolen. - Flayton's security practices were not fully PCI compliant, with scanning not done daily. - An investigation found that a firewall had been disabled, exposing internal and customer data. Over 1,500 customer accounts were compromised. - Options for notifying customers and authorities included a press conference, customer letters, or waiting for law enforcement. There was disagreement over the disclosure approach. - Brett must decide how to respond to restore the brand and address security weaknesses, with suggestions provided by cybersecurity experts

Uploaded by

Tushar Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Case Study:

Boss, I think someone stole our customer data

BYSUMIT ANAND
P R I YA N KA M A H A PAT RA
A M E E YA M I S H RA
T U S H A R G U P TA

Brief Overview
About Flayton Electronics

Key People:

Brett - CEO

Laurie Benson-Vice President for loss prevention

Sergie - CIO

Sally OConnor Communication Director

Frank Ardito CFO

Darrel Huntington Longtime outside Counsel

New Territory in Handling Data Breach


What do you think data theft is all about?
PCI
NO clear cut crime scene to sweep
15% or 1500 cards were found in routine check

Which are the most vulnerable areas ?


Hacked Card Readers
Data lines between the stores and the bank
being tapped
Is Stored Data Secured
Insider job
Work of some one who is recently been fired
Mistake
Tossed a file into Dumpster

Secret Services
Keep this under
wraps until we get a
full picture
Ethical or Not?

Limited Defenses
PCI complaint is complicated
75% or so requirements are matched
Scanning is not done everyday
Should checking be required everyday?

Core Values at Risk


Customers are just wallets or one of the
important assests ?
Shareholders Value?
Myopic about infrastructure
Had he pushed too much too fast?

Into the Breach


Compromised accounts Increasing > 1500
Loop hole in the System Disabled Firewall (Accidental / Deliberate)
Firewall part of the Wireless Inventory control system Internal company data were essentially being
broadcasted
Firewall created problems (Bugs, system crashing after bug fix)
Broadcast was short range Perpetrators might be an insider / who have access to system
3 communication options:
a) Press

conference Most fortnight approach

b) Informing

Customers by letters Might create more customer anxiety than Reassurance & make
the company appearing as hiding something.

c)

Do nothing until Law Enforcement was ready to go Public Easiest in Short term because it put the
decision in other hand

CFO Frank and outside counsel Darrell had a disagreement on whether to disclose the matter public or
not.
Darrell has a belief that who ever goes public 1 st will get sued & theres bound to be a lot of media
coverage.
Darrell wants the communication manager to be silent to media.
One of the affected accounts was of an Tv news reporter.

Brett is unrest over the fact that his fathers decades of work & reputation is on the
line.
Analyzes the scenario:

a)

Evidence that Breach has occurred

b)

Terminated employees might be involved

c)

3 out of 6 states need to disclose

d)

Feds want normal working conditions & time for catching the perpetetor

e)

Television personality among victims

f)

Probability of getting sued on disclose

g)

If not disclosed then eventually will leak

h)

Competitor will have advantage with promotions

i)

He cant look a customer ever squarely in the eye again

Anyhow he wants to overcome this situation real quick.

Case Commentary

Beyond fixing the firms


weaknesses in data security,
the CEO must develop a
brand-restoration strategy.
Suggestion 1

James E. Lee

by:

: is the senior vice president


and chief public and consumer affairs officer at
Choice Point, based in Alpharetta, Georgia.

You need people on hand with


the digital expertise to match
wits with tech-savvy cyber
criminals.
Suggestion 2

by:

Bill Boni :

is the corporate information security officer


for Motorola in Schaumburg, Illinois. He is also a vice
president and board member of the Information Systems
Audit and Control Association, a global organization based
in Rolling Meadows, Illinois.

Making data security a priority for the future


and communicating the specific policy changes
that Flow from that may allow the company to
become recognized as a leader in this area.

Suggestion 3

by:
John Philip Coghlan :

is a former president and


CEO of Visa USA, headquartered in San Francisco.

Not alerting customers right


away is not the same as doing
nothing.
Suggestion 4

by:
Jay Foley :

(jfoley@idtheft center.org) is the executive


director of the Identity Theft Resource Center in San Diego.

You might also like