“Companies want to figure out exactly how a breach happened, but it’s not so simple,” said Charles Wood, Duquesne University assistant professor of information systems management. “Target found out there were problems after some of their customers had credit cards issued under their name in Eastern Europe. (Target) didn’t know how it happened until they launched an investigation and eventually found the vulnerability.”
Thousands of employees of the University of Pittsburgh Medical Center discovered the frustrating aftermath of cybercrime firsthand after a February data breach exposed their names, addresses, Social Security numbers and other W-2 information during the peak of tax season.
What UPMC officials said they initially believed was tax fraud involving a few dozen employees turned out to be an attack that affected approximately 27,000 employees, 788 of whom had false tax returns filed in their names. Last week, UPMC sent out paper and email notices to more than 12,000 employees telling them personal information from their W-2 forms was definitely extracted during the breach. The information of an additional 14,000 may have been viewed during the breach.
A lawsuit seeking class-action status on behalf of employees impacted by the breach was filed in February by Michael Kraemer of Pittsburgh law firm Kraemer, Manes & Associates LLC.
UPMC’s response of notifying all 62,000 hospital employees of the breach and offering professional services and reimbursement to individuals impacted falls in line with industry standards established during massive breaches at retailers Target, Neiman Marcus and, most recently, craft store Michael’s.
But with the scope of UPMC’s breach involving critical Social Security data rather than easily canceled credit card information, some employees are wondering if the company should have found a way to warn those who were directly impacted sooner.
According to Doug Pollack, chief strategy officer for Portland, Ore.-based data breach prevention and response company ID Experts, deciding between the earliest possible notification of those directly affected and blanket notification of all who potentially could be impacted is a tough call.
“It can become a judgment call between speed vs. accuracy,” Pollack said. “It took some time to understand the total scope of the population affected, so that sacrificed immediate notification and might have caused employees to go through troubling issues they could have avoided if they had known sooner.”
On the other hand, Pollack said, the opposite approach of informing victims immediately after discovering data were stolen could have caused panic among thousands of employees who still are waiting on a final verdict regarding the safety of their personal information.
“Most practitioners would prefer not to do creeping notification,” he said. “Best practices tend to be to do enough analysis to understand what happened, then make a judgment call about who to notify. Out of an abundance of caution, most want to notify as broad an audience as they can so they can take steps to protect themselves, whether they are affected or not.”
With or without early notification, affected employees must initiate a relationship with the IRS that begins with identity theft forms and continues for years with an identity theft PIN used to confirm that future tax filings are made by the right person.
Beyond taxes, Pollack said, victims must be on constant guard of bank accounts and credit reports for the foreseeable future to ensure their personal information isn’t funding someone else’s mortgage or luxury vacation.
For corporations hoping to avoid similar attacks, Duquesne’s Wood said old-school paper storage could be the best solution for personal data because it isn’t a question of if a copycat cyberattack will occur; it’s a question of when.