Case Study:

Boss, I think someone stole our customer data

BYSUMIT ANAND
P R I YA N KA M A H A PAT RA
A M E E YA M I S H RA
T U S H A R G U P TA

Brief Overview
About Flayton Electronics

Key People:

Brett - CEO

Laurie Benson-Vice President for loss prevention

Sergie - CIO

Sally OConnor Communication Director

Frank Ardito CFO

Darrel Huntington Longtime outside Counsel

New Territory in Handling Data Breach

What do you think data theft is all about?
PCI
NO clear cut crime scene to sweep
15% or 1500 cards were found in routine check

Which are the most vulnerable areas ?

Hacked Card Readers
Data lines between the stores and the bank
being tapped
Is Stored Data Secured
Insider job
Work of some one who is recently been fired
Mistake
Tossed a file into Dumpster

Secret Services
Keep this under
wraps until we get a
full picture
Ethical or Not?

Limited Defenses
PCI complaint is complicated
75% or so requirements are matched
Scanning is not done everyday
Should checking be required everyday?

Core Values at Risk

Customers are just wallets or one of the
important assests ?
Shareholders Value?
Myopic about infrastructure
Had he pushed too much too fast?

Into the Breach

Compromised accounts Increasing > 1500
Loop hole in the System Disabled Firewall (Accidental / Deliberate)
Firewall part of the Wireless Inventory control system Internal company data were essentially being
broadcasted
Firewall created problems (Bugs, system crashing after bug fix)
Broadcast was short range Perpetrators might be an insider / who have access to system
3 communication options:
a) Press

conference Most fortnight approach

b) Informing

Customers by letters Might create more customer anxiety than Reassurance & make
the company appearing as hiding something.

c)

Do nothing until Law Enforcement was ready to go Public Easiest in Short term because it put the
decision in other hand

CFO Frank and outside counsel Darrell had a disagreement on whether to disclose the matter public or
not.
Darrell has a belief that who ever goes public 1 st will get sued & theres bound to be a lot of media
coverage.
Darrell wants the communication manager to be silent to media.
One of the affected accounts was of an Tv news reporter.

 Brett is unrest over the fact that his fathers decades of work & reputation is on the
line.
Analyzes the scenario:

a)

Evidence that Breach has occurred

b)

Terminated employees might be involved

c)

3 out of 6 states need to disclose

d)

Feds want normal working conditions & time for catching the perpetetor

e)

Television personality among victims

f)

Probability of getting sued on disclose

g)

If not disclosed then eventually will leak

h)

Competitor will have advantage with promotions

i)

He cant look a customer ever squarely in the eye again

Anyhow he wants to overcome this situation real quick.

Case Commentary

 Beyond fixing the firms

weaknesses in data security,
the CEO must develop a
brand-restoration strategy.
Suggestion 1

James E. Lee

by:

: is the senior vice president

and chief public and consumer affairs officer at
Choice Point, based in Alpharetta, Georgia.

 You need people on hand with

the digital expertise to match
wits with tech-savvy cyber
criminals.
Suggestion 2

by:

Bill Boni :

is the corporate information security officer

for Motorola in Schaumburg, Illinois. He is also a vice
president and board member of the Information Systems
Audit and Control Association, a global organization based
in Rolling Meadows, Illinois.

 Making data security a priority for the future

and communicating the specific policy changes
that Flow from that may allow the company to
become recognized as a leader in this area.

Suggestion 3

by:
John Philip Coghlan :

is a former president and

CEO of Visa USA, headquartered in San Francisco.

 Not alerting customers right

away is not the same as doing
nothing.
Suggestion 4

by:
Jay Foley :

(jfoley@idtheft center.org) is the executive

director of the Identity Theft Resource Center in San Diego.