Recent disclosures by the FDIC and Wendy's following breach incidents underscore the protracted nature of detection and post-breach notifications. States in the U.S. and the European Union hope to shorten that timeline.

Last month, the FDIC detected and moved to mitigate a breach of 44,000 customer records after an employee leaving the agency in February inadvertently downloaded the data containing personally identifiable information to a removable media device.

Earlier this week the FDIC reported to Congress that five additional major data-breach incidents occurred since Oct. 30. In every case, employees with legitimate data access left the agency and inadvertently downloaded personal data. The agency retroactively reported the breaches because the FDIC closed the case before its Office of Inspector General defined them as major incidents, which involves at least 10,000 records.

The NCUA has not had any reported similar incidents or PII breaches, according to Public Affairs Specialist John Fairbanks.

In January, the first news emerged about possible credit card breaches at East Coast and Midwest locations affiliated with Wendy's and its quick-serve restaurants chain.

Almost four months later, Wendy's issued an official acknowledgement, but through its first quarter financial report. The company confirmed malware on POS devices at fewer than 300 of the company's 5,500 franchised stores and none in any corporate-owned locations.

“While Wendy's has not yet fully completed its investigation into the breach, its preliminary data indicated the breach likely first started in the fall of 2015 and involved the installation of malware through compromised third-party vendors,” the report said. The fast food chain also revealed approximately 50 franchise restaurants with unrelated cybersecurity issues.

“The findings come as many credit unions and banks feeling card fraud pain because of the breach have been grumbling about the extent and duration of the breach,” Brian Krebs, who first disclosed the breach on his blog Krebs on Security, wrote. Multiple financial institutions said some breached locations were still leaking customer card data in early Spring.

In April, the $41.6 million New Castle, Penn.-based First Choice Federal Credit Union filed a breach-related class action lawsuit against Wendy's.

The lengthy time involved in the detection and notification process is not uncommon.

“Finding out about a breach and determining the scope, then looping in legal, PR and outside third-party mitigation parties simply takes a lot of time due to the hidden nature of the breach,” Stu Sjouwerman, founder and CEO of Clearwater, Fla.-based KnowBe4 said.

“According to the Verizon Data Breach Investigations Report, 66% of breaches took months, sometimes even years to detect,” John Peterson, vice president of enterprise products at Clifton, N.J.-based Comodo, said.

“Until consumers are more aware of and begin making noise about these delays, specific governmental intervention may not happen for some time,” Peterson added.

In April, the European Parliament approved General Data Protection Regulation rules, which applies to any business with customers in the European Union directly or online. The GDPR, set to begin in two years, requires organizations that experience a data breach to report it within 72 hours of the company becoming aware of the breach. Violating the rules could cost a firm as much as 4% of its worldwide revenue.

“The step taken by the European Union could be a model for our government to follow, allowing the cybersecurity community as a whole to get a better handle on threats. And the individual consumer will benefit as well,” Peterson said.

In the U.S., breach notification laws fall mostly to individual states. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify compromised individuals of data breaches.

Tennessee recently amended its law. Starting July 1, companies must notify Tennessee residents of data breaches immediately, defined as within 45 days of discovery, unless law enforcement requests a delay.

“The problem is that the U.S. favors business autonomy from the government. I do think [notification] legislation is possible, but not probable until 2020 when enough voters have felt these effects and other industries feel the losses,” Paul Kubler, digital forensics and cybersecurity examiner at New York-based LIFARS, said.

Continue Reading for Free

Register and gain access to:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).