NIB leaks customer details: Four security lessons for your business
Tuesday, June 23, 2015/
NIB private health fund customers logging onto their online portals yesterday were able to view other NIB customer’s mobile numbers, email addresses and claims history between 10.33am and 11.35am.
Alarmed customers notified NIB about the problem and Fairfax reports customers were still able to access the portal 30 minutes after phoning the insurance company.
A spokesperson for NIB told SmartCompany this morning the insurer can confirm “no credit card information of any customer was displayed.”
“Nib apologises unreservedly to the customers affected by this issue. Nib takes the privacy of our customers very seriously and has also taken the step to key stakeholders including our regulator and ombudsman,” the spokesperson said in a statement.
Customers have since lashed out about the incident, with many taking to Facebook about the lack of communication around the incident.
Michael McKinnon, security adviser for AVG, told SmartCompany there are steps small businesses can take in order to prevent a breach.
The information leak affected 329 customers who accessed online services during this time and McKinnon says “as our business systems become more complex over time it’s a given that you’ll end up with more software bugs becoming a threat”.
Here are four security lessons for your business from the breach:
1. Regular website tests
In our society, a business’ website is more often than not a customer’s first point of contact, and with more and more businesses incorporating online portals into their operations, online security is crucial.
“A fundamental mistake SMEs make is that they have their own web developers testing their sites. That’s never as good as having someone else test your site,” say McKinnon.
“Sometimes it can be a case of the SME owner thinking like a hacker. If this was someone trying to come after your business and your held data, you have to think about what they might try and do it to see if it works.”
2. Updating information kept by the company
By only keeping the necessary information on your database it minimises the scale of the risk your company faces, should a breach occur.
“The privacy principle your database should be adhering to is to only be keeping information for critical function. If you don’t need it, get rid of it,” says McKinnon.
Reducing the “attack surface” or “security footprint” your company stores will make your operating system perform much smoother and limit the potential for information to become compromised.
3. Updated software for your online platforms
The web platforms used by a business are crucial to not only the way your platform runs but also the bugs you can be exposed to.
In terms of the technology side, ensuring the web platforms and all the systems are connected, maintained and up to date is crucial. This need to be done regularly,” says McKinnon.
“Security bugs can be found in common web platforms, such as WordPress, and when security patches are released by these platforms your company needs to make sure they’re installed and active – as they are common knowledge to hackers.”
4. If your security is ‘breached’ – have a crisis plan
Following the initial temporary disabling of the company’s website, a crisis plan should be put into action.
McKinnon suggests SMEs have a pre-written document in the event of a database breach, saying “businesses shouldn’t ever find themselves in a position to deal with this unprepared”.
- 24-hour access to technical assistance, not only to temporarily disable the website should anything happen, but also for staff to utilise on a day-to-day basis.
- Legal advice: SMEs need this on hand as a quick reference to the legal avenues that can be exercised and actions to avoid. This doesn’t simply act as a reminder to contact any in-house legal but also urges you to contact police e-crimes units when necessary.
- Public relations advice to minimise negative fallout and maintain brand integrity
- Quickly communicating with customers in the event of a privacy breach occurring. This might just be an email template.