Data Privacy Conference

A product and engineering conference

Up next

Round table: Security Incident analysis and reporting

Submitted Mar 18, 2021

Capillary Technologies

Capillary’s products help enterprises in customer retention, increased customer loyalty and repeat business, both offline and online. Capillary’s products include loyalty, rewards, campaign, and Ecommerce platform for retail, fashion and quick service restaurants, etc., Capillary products handle a huge number of consumer transaction and Personally Identifiable Info (PII) records. Capillary operates in a space highly regulated by privacy regulations worldwide. Capillary is growing rapidly, expanding to newer geographies and hence requires compliance and internal policy catchup too.

Round table: Security Incident analysis and reporting

Security issue reported by a customer:

A public accessible code repository with Authentication Credentials to a QA database of the customer.

We gathered as much information the customer had, and started the incident bridge inviting our customer security manager to join into.

Capillary’s basic hygiene practices helped here. Some of key practices are:

Communicate well internally and externally. Security incidents happen. Respond gracefully without transparency:

As most of us at the Tech startups/firms live with the customer first approach, we do at Capillary too. The key to move faster to resolution is communication with the stakeholders, including customers.

As a process, one person from the InfoSec team started engaging with the customer and also coordinating the efforts across teams.

Security notification email IDs of our customers come in handy for timely communication.

Golden hour response:

The Tech, InfoSec and Access Control team quickly confirmed that the DB was an old QA DB, checked access logs, code repository brought down, rotated IDs, etc.,

Impact assessment and communication of specifics to the customer:

A two member team was dedicated for impact assessment so that further impact containment measures, if any, could be planned.