Here's a delightful bit of survey happiness out of Ireland: a vendor survey found that "almost half of Irish businesses wouldn’t disclose a data security breach to impacted third parties, including customers and suppliers." Even worse, these results likely underestimate how many execs agree with that thinking, but are shrewd enough to not share that with someone taking a survey.
The survey result is surprising only in that so many executives admitted that desire to not disclose. But actually suppressing a data breach from customers—or investors, suppliers, resellers, franchisees or anyone else—is the quintessential self-destructive act. Why? Because sooner or later (trust me, it will be sooner), the news will get out and it will phrased in the least positive way possible. If you want to do damage control, announce it in the best way. Suppressing it does nothing other than making sure other people announce it for you.
How will others learn of it? Let us count the ways. When the thieves start to use your data, it will be detected. Processors (yours and others) and card brands will look for a common point of purchase. That will be you. They will report it. Law enforcement will look for the trail, which will also lead to you. Your customer victims will discuss it on social media where consumers—and quite likely some reporters—will piece it together. The thieves might be arrested for an unrelated offense and admit to breaking into your operation. Etc..
If you will disclose, you will be able to color the first perceptions of the incident. Before you've even said word one, you're ahead of the game because your customers/shareholders/partners will hear about it first from you. That gets you serious points. You can say that your security mechanisms detected this breach and that it's a testimonial to your solid security systems, implying that your rival companies might have never detected it. Detection implies customer protection.
Getting breached is never a good thing, but at least put the best face on it you can while you still—albeit briefly—control the story.
Beyond PR, there are pragmatic reasons to do this. First, it alerts your customers (and partners) to watch for unauthorized transactions. That in turn will help law enforcement to catch the attackers, which is ultimately your goal. If they are caught and the damage is minimized, you're more likely to escape with your reputation mostly intact.
There will be several post-breach investigations—and just about of them will look more favorably on you if you announce quickly. There will be a PCI-related probe from your processor and the relevant card brands. No mystery there. The "investigation" will quickly conclude that your assessor was wrong and that you were in fact not PCI compliant. (Whenever Visa or MasterCard is involved, consider yourself a character in George Orwell's 1984. The fact that you were breached of course proves that you weren't PCI compliant, right? PCI is perfect, no? Think I'm exaggerating? Wait until you're breached.)
There will also be a law enforcement probe. You'll the victim in that probe, but you'll still have lots of questions to answer. Federal Trade Commission probes are also common. Then there will be the discovery from the inevitable class-action lawsuit on behalf of shareholders, assuming you're unlucky enough to be publicly-traded.
About that disclosure, some pointers. Be absolutely and strictly truthful. That means not going even one tiny iota beyond what you know to be true. For example, never ever say "XYZ was tampered with, but ABC wasn't touched." In the early stages of your internal forensics probe, you have no idea what was or was not touched. You can say "At this point, we have seen no indications that ABC was touched," but that's as far as you dare go.
The initial forensic reports—for very good reasons—are almost never accurate. Why? Because most cyberthieves are professionals. The first thing they do before leaving the scene of the crime is to erase almost all evidence of their existence. The second thing they do is leave misleading clues, to confuse the forensic investigators.
Therefore, logically enough, when your team does its initial exhaustive sweep of log files and everything, the first things it finds are what the bad guys want them to find. It will take many more weeks and months of investigating—with lots of comparisons to archived files secured away before the breach—to find inconsistencies and to slowly figure out what most likely really happened.
If your forensics team is good—and most are—the truth will eventually be learned. But like the crime scene photos shot by police in the very beginning of the probe, the story they will tell is almost always misleading—deliberately so. Sticking strictly to what you know to be true is the only viable approach.
Beyond telling the stakeholders that a breach happened, you should also seriously consider spreading a more detailed version to others in the industry including your competitors. This is one of those rare times when you're all in this together. When your arch-rival gets hit, they'll likely return the favor.
There have been some government-supported efforts to do this. Not all have been ideal—wrote last year about a well-intentioned but poorly-written federal effort—but better versions will hopefully emerge. Either way, the bad guys are hoping on using these techniques repeatedly, figuring that victims will be silent. We can't let that happen.