Learning From a Breach ResponsePenn Station's Approach Offers Lessons
The restaurant chain Penn Station's communication in the wake of a payments breach provides an example for others to follow.
Penn Station's president, Craig Dunaway, has served as lead spokesman on the security incident. ... It's rare that I get return calls or even a response from organizations hit by breaches. When I do, I don't hear from presidents.
Among the updates: On June 8, Penn Station, reported the tally of restaurants affected by its POS breach, which was announced June 1, grew to 65 from 43.
By comparison, many other companies that have experienced breaches have provided few updates - often burying any new information deep within their websites where it's tough to find.
Global Payments, for example, has provided few details and updates about its breach, now believed to have exposed sensitive details about 7 million credit and debit cards. And finding breach information on the payment processor's site is a challenge.
In addition to providing easy-to-locate updates on its breach, Penn Station's president, Craig Dunaway, has served as lead spokesman on the security incident. When I called the company for information, Dunaway returned the call.
It's rare that I get return calls or even a response from organizations hit by breaches. When I do, I don't hear from presidents. I hear from a spokesperson or receive a cryptic e-mail response.
By responding to media inquiries on his own, rather than delegating to a spokesperson, Dunaway sends a strong message that he is taking the breach at his company seriously and is not hiding behind legal and PR departments for protection.
It's a strategy other corporate executives should follow.
Restaurant Breach Details
Dunaway told me Penn Station learned of the breach after a customer called to report that his card had been compromised shortly after dining at one of the chain's restaurants. Penn Station then contacted its processor, Heartland Payment Systems.
"We've been working with Heartland to address the issue," Dunaway said. "The key is to work with the Secret Service and get down to the bottom of what happened."
Dunaway says the investigation, so far, has not determined the source of the breach. And based on the company's transparency so far, I'm confident the cause, once it's found, will be revealed.
Penn Station suspects the compromise dates back to March. Debit and credit cards used during March and April may have been exposed. The chain has, however, now confirmed that no PINs were exposed in the attack, only names and card details.
"Penn Station restaurants only accept debit cards as a credit card, so no PIN information is collected by Penn Station, and, therefore, no PIN information was accessed," the company's June 5 update states.
Since learning of the breach, all individual owners of the affected franchised Penn Station locations have changed their methods for processing credit and debit transactions, the company says, although the exact methods they've enlisted has not been revealed.
Breach Transparency Matters
I blogged a couple of weeks ago about the frequent lack of transparency when it comes to breaches.
Transparency and full disclosure, within the bounds of investigation reasonableness, are important when beaches occur. Of course, organizations have to be sure they understand the basic details of a breach before they go public. But timely, honest notification is essential.
Does your organization have a post-breach communication strategy ready?
All organizations can learn from Penn Station's response to its breach. Getting the president or CEO involved in the response strategy benefits everyone, and shows your organization is committed to keeping the public informed.