Atlassian's tips for effective breach disclosure

In the immediate aftermath of a security breach, companies should ensure they don't use weasel words and have in place strong internal communications and clearly-defined staff guidelines, according to Atlassian head of security intelligence Daniel Grzelak.

Daniel Grzelak

Atlassian made headlines when it migrated its customer database to the encrypted Atlassian Crowd single-sign on in July 2008.

The old database table was not taken offline or deleted, leading to the exposure of customer details and downtime in April 2010.

In a speech to the AISA conference in Melbourne last week, Grzelak said experience had taught him transparency can help to build trust in a company – especially after a breach.

"Customers want regular communications, they want you to be upfront, they want you to be honest and they'll be positive if they perceive a company to be doing the right thing by them," Grzelak said.

"Companies that did the right thing got positive media coverage, the companies that tried to hide things didn't."

ASX-listed companies - which are obligated to disclose any news that could have a material impact on their share price - are hesitant to reveal a data breach, Grzelak said.

But he said the impact on share price in such situations was "often minimal and often very short term".

"I can point you to a lot of articles, and there are hundreds of them, that basically say the same thing, and that is that Wall Street doesn't care about data breaches in the long term."

While the initial instinct can be to go silent when a data breach is discovered, Grzelak said the best results come from being comprehensive and accurate.

"What happens when you don't provide complete information is people will fill in the blanks," he told the conference.

"People will take one piece of information and extrapolate a whole range of information that may or may not be true – and that may not work out well for you."

Preparing to disclose

But before going public, companies must take a few vital steps internally, Grzelak said, like sending out an internal memo to staff.

It is a lesson Atlassian learnt the hard way after poor internal communications about a security breach made the issue more difficult than it needed to be.

"When an account was compromised, our security team contacted a customer and said 'it appears someone has accessed your account using your login credentials that wasn't you. You should probably reset your password'," Grzelak said.

"The customer got that email and said 'this looks like a phishing email, it doesn't look legit. Maybe I should reach out to support'.

"So they reached out to support, and they asked 'is this legitimate?' And because there was no connection between the security team and the support analyst, the support analyst came back with 'you're right, that doesn't look legit, you should just ignore it'.

Organisations also need clear guidelines that divide up responsibilities and appoint a main decision maker, Grzelak said.

"The important thing is you need to get a team lead involved for each of [your main staff] groups, so there's only one person makes the final decision for all the things that need to go out," he said.

"If you don't do this, I guarantee you'll run into problems. If multiple people all make decisions about different things, it just gets crazy and it leads to poor decisions."

How to disclose?

A critical consideration is the form a disclosure will take, with press releases and blog posts two popular options.

"Blog posts allow you to do updates, which is important. Because as you find out more information or as the situation changes, as customers ask you questions and as the press asks you questions, you want to update," Grzelak said.

"Whereas a press release is a one-off thing. You only get to do it once, and you better get it right, because that's what's going to be quoted everywhere."

Others have chosen to build a website specifically to host information pertaining to the data breach.

"Having a specific disclosure website has a lot of real benefits. For example, the SEO is not attached to your main corporate website, so if people search for the breach, they won't be pointed to your main website," Grzelak said.

"And, in the future once your customers and partners have all the information they need, you can kick the website off the internet and it's no longer attached to your brand."

In some cases, especially when news of an incident leaks ahead of an official notification, it could also be worthwhile using Twitter to disclose the news, he said.

According to Grzelak, such a strategy was successfully used by BrowserStack after it was compromised late last year.

"Posting it on Twitter got them a very positive reaction. It might seem like a silly response, but the sooner you can get out before a disclosure with your message, the better," Grzelak said.

Whichever form of disclosure is chosen, it is worthwhile including an FAQ that can answer many of the most important questions without tying up support staff, he advised.

"The major themes [FAQs] generally cover are what happened, what was accessed, how was I affected, what steps are being taken, how are you protecting my data now, and how can I go back to doing what I was doing with your website."

He suggested avoiding using email to notify customers of a breach, given organisations that have recently been attacked are likely to see their customers targeted in phishing attacks.

Avoid weasel words

One of the worst things companies do in their disclosure statements is to resort to overused clichés, according to Grzelak.

The rule of thumb is to think about whether there's a good reason to use a particular phrase, and if not, to take it out, he said - citing "there is no evidence that customer data was stolen" as one of the most overused.

"The recent Dow Jones breach had this in there. They had been compromised for three years. But who keeps accurate and comprehensive logs for everything for three years?" Grzelak said.

"Saying there's no evidence is disingenuous, because you probably don't maintain the evidence for that long."

Likewise, describing an attack as "sophisticated" is unlikely to make customers feel any better about the situation, he said.

Other phrases to be wary of include "we're taking steps" without detailing what those steps are, and "we take security seriously".

"The point we're trying to make is that we're not just taking this lightly, we're doing everything we can to make sure this doesn't happen again and your data is safe," Grzelak said.

"But it wasn't important enough, in hindsight, to have prevented the breach, so don't use empty platitudes."