E-commerce data breach: what to do when it hits the fan (part 1 – security interventions)
A breach of financial or personal customer data could happen to any business. Not every security breach is devastating, but the more prepared you are to deal with it, the quicker and easier it will be resolved. But it probably seems so unlikely that you haven’t planned for it. It happens to big brands, right?
You need to work out how you’re going to stop the breach or resolve its effects with the help of your systems admin, at the very least.
Pull the plug! Can we pull the plug? Phone the systems admin. Where’s their number? Who’s got their number? Do we have a systems admin? CAN THEY FIX THIS?
We also recommend you consider how you’ll communicate the incident. That deserves a blog post of its own (read on for more details). First, here’s our practical checklist that will stop a hack or minimise its success.
Make appropriate security interventions
1. Check it’s really a hack
One user having an error/issue shouldn’t cause you immediate panic – though your customer might need reassuring. Ask them for full details about their issue like their browser, operating system, the time of error – all this will help you check logs on the system.
2. Make it happen again
If you can replicate the issue or numerous complaints come in, you’ve got a reason to worry. If you can’t make it happen again and no other customers report the same issue, continue to monitor the situation while your customer service team supports your aggrieved user.
3. Call your system admin
Provide them with the information you’ve collated so they can take a closer look. Ask them to update you regularly. If a breach has happened, they can give you more details and possibly an early estimation of the damage.
Who’s got their number? Do we have a systems admin? CAN THEY FIX THIS?
We’ve talked a little bit about systems admins and supported hosting before, in the context of server & platform advice. It’s worth checking what kind of support package you have and how this could impact on an emergency.
4. Turn off e-commerce
If your issue will take time to fix, disable all e-commerce functionality on your site put customer notices up on key pages. This early in the investigation, there isn’t a lot to tell your users, so a generic message about maintenance upgrades is fine.
5. Analyse & plan
If your system admin confirms a hack, ask them to list out what’s happened, how it occurred and if there’s been a data breach. They should tell you how they plan to fix it and how long they think it will take.
However, if there hasn’t been a breach, make sure the false alarm has been explored and your website isn’t compromised in another way.
6. Communicate & mitigate
If you’ve had a data breach, email people who’ve been affected to let them know what’s happened. Ask them to reset their password or force a password reset.
Personal data breaches must be reported and, wherever you trade in the world, you’ll have a time-sensitive window to inform the regulator for that territory – be aware the clock is ticking.
But if there definitely hasn’t been a breach and your site has no other issue needing attention, you can remove your maintenance notices and turn e-commerce back on.
Once your systems admin has fixed the issue or hack, the next step is to run a few test orders to verify that all’s well. If it is, remove maintenance messaging and enable e-commerce functionality.
Don’t rely on our list
Have we made this look easy? Well, good. But don’t stop here. Around 95% of setups/hosting environments are different, so one simple checklist doesn’t fit all. Again, see the link below and refer to our article on keeping your e-commerce systems robust.
For example, your setup could mean a scenario where your site has been hacked but sensitive data is perfectly safe; or your payment gateway partnership might have a process whereby they offer help or jump right in if they detect malicious activity. There are many variables for you to consider.
Bookmark this article – you might need to refer back to it as you pull your plan together. Once you start plotting out who, what, when and how, you’ll really start to feel the benefit – and the scale – of what happens in a website security crisis.
As well as resolving the breach – often simultaneously – you’ll need to execute a crisis communications plan. For our insight into this, see the link below and head over to part 2 of this data breach double bill.
Photo by Nathalie Spehner on Unsplash (cropped). This article first appeared on Medium.
You might also like
Your objective is to proactively respond to an evolving situation, informing and reassuring everyone affected. In other words, catch your brand.
Even if your website is failing, you might not need a new oneNew websites are fun, shiny, gorgeous and replacing your website might seem like the best solution to conversion issues. But starting again from scratch could be unnecessary.
Great expectations: why businesses and agencies break upAnecdotally, we know a high percentage of new clients are running away from an agency they weren’t happy with. But a rocky relationship is easy to fix if you set and meet expectations with openness and honesty.
How to escape the trap in your own business — and growAfter leadership training, my new plan consists of three items. I have also revised my role in my own company and have a commitment to the numbers that matter.
Optimising mobile web navigation (2 recent successes)As a strong critic of the hamburger device, I’m pleased to have the opportunity to share results from my latest research that suggest we should abandon it.
Robust e-commerce: 2 ways to protect your customers from data breachesThere are two elements you have full control over, both of which considerably influence how robust your digital platforms are.
Tactics of a Paid Search strategy designed for growthI owe everything I know about Paid Search to my mistakes and learning from them. My brightest light bulb moment showed the junior executive version of me that I’d been getting it wrong.