The Fraud Blog with Tracy Kitten

The Right Way to Respond to a Breach

Open Communication Goes a Long Way with Customers

Let's talk about breach response done right.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

DBS, one of the largest retail banks in South East Asia, recently issued warnings about a $1 million [U.S. $774,594.06] card-fraud scheme it traced to two ATMs. And after the skimming attack hit 700 of its accountholders, DBS took a proactive step and launched an SMS/text alert service to ensure accountholders were provided up-to-date communications about their balances. [See ATM Fraud Prompts Text Alerts.]

We've learned how ineffective and potentially damaging it can be to say too little about a security incident. 

Even the bank's CEO got in on the action by issuing a public apology for the compromise. Over the next week, DBS regularly updated its website with new information - sometimes several times a day.

Could you ask for better acknowledgement and awareness efforts?

Perhaps DBS has just been faster to figure out the communication perils the Internet Age poses. But compare this bank's breach response to reactions we've seen from some organizations in the U.S.

Remember in fall 2010, when Chase's online-banking site went down? Chase was reluctant to say anything about the outage. Or how about last March, when several Bank of America debit cardholders noticed fraudulent transactions hitting their accounts? BofA responded, but the communications offered no guidance, no admission of fault and no resolution. [See Bank of America Denies Breach.]

We've learned over the last 12 months how ineffective and potentially damaging it can be to say too little about a security incident. But how much information is too much?

It's hard to compare DBS's communications with the ways most U.S. institutions react to security incidents. Many attorneys and PR departments would never suggest the head of a top-tier institution admit responsibility for an incident, much less provide ongoing updates that could later backfire and be used in a court of law.

But legal and PR departments have to realize they can face great reputational damage by saying nothing. As breach response garners more attention, organizations all over the world will be held to higher flames.

I think we can all learn from the DBS example. It's better to take responsibility from the outset than to be held accountable later.

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.