http://online.wsj.com/article/SB10001424053111904265504576566991567148576.html

SEPTEMBER 26, 2011

What to Do if You've Been Hacked

Among the surprising advice: Don't shut down the computers

By BEN WORTHEN

It's a nightmare scenario every business fears.

Your tech department has spotted suspicious activity on the company network. Your customers and employees are getting hit with credit-card fraud and identity theft. MasterCard Inc. is on line one.

The panic sets in: Your company has been hacked!

So, what do you do?

First, take a breath and remember that you're not alone. Last year, 662 organizations publicly disclosed data breaches, according to the nonprofit Identity Theft Resource Center, a figure that includes real-world theft and accidents as well as cyberintrusions. And the actual number is likely much higher than that, since not all hacking incidents get disclosed.

Next, remember that getting hacked doesn't have to be a business-crippling experience. While it will likely set a company back financially, if handled properly it won't have a long-lasting impact.

"The public is forgiving when it's apparent that the company is doing the right thing," says Lori Nugent, a lawyer at Wilson Elser Moskowitz Edelman & Dicker LLP who specializes in breach cases. In fact, if a company is on top of the technological problems and communicates well, it can build loyalty among its customers, she says.

There are a number of small but critical steps businesses need to take when they find out they've been breached. Here's a look at what to do when it happens to you.

Don't unplug. The natural instinct when an employee discovers he or she has been hacked is to power off the machine (and maybe throw it against the wall in frustration).

But it's the wrong move.

True, turning off the Internet connection and detaching the computer from the corporate network can help prevent the infection from spreading. But shutting the machine down can also erase valuable evidence that will help investigators determine what's been stolen and where it's been sent. A lot of malware--a catchall term for programs like viruses written and installed by hackers--resides in a computer's memory and not on the hard drive. Turning off a computer erases the memory, and with it many traces of the hack, security experts say.

Call in the pros. By now, you've probably realized you're in over your head. There are many companies that specialize in post-breach forensic investigation; it's a good idea to get in touch with one of them now. In fact, you should have one on speed dial for emergencies.

Also, now is the time to tell the police. (This is a separate step from disclosing the breach publicly, so you can wait to make that decision.) Local law-enforcement groups typically don't have the resources to investigate a breach, but filing a police report is often necessary to collect insurance. If you decide you do need official help, the Secret Service is the federal entity charged with investigating hacking intrusions. The Federal Bureau of Investigation also has a cyber division.

Keep a chain of custody. From here on out, you aren't just trying to stop the breach; you're also planning for the inevitable legal fallout. Maybe you won't get sued, but if you do, you'll need to be able to demonstrate that you responded to the breach in an appropriate manner. Record every time someone touches a compromised computer or server and everything that's done to it.

Find out if the breach is still open. Don't assume that because one infected computer has been cleaned up or removed the attack is over. The hacker could have taken control of multiple machines. At this stage, your job is mostly to sit back and let the pros do a thorough search of your systems. Be patient: Learning the full scope of a breach can be a time-consuming process, so don't worry if this takes a few days or longer.

Among the things the experts will need to do is find the malware that the hacker used and determine what kind of information it's programmed to find and where it sends it. Likewise, they'll check the logs of all the outbound communications for any suspicious activity. Patrik Runald, a researcher with security company Websense Inc., says that hackers often send data to so-called dynamic hosts that constantly change their Internet addresses. Most legitimate websites don't use this kind of addressing. If data are still being sent to these types of addresses, it's a possible sign that a breach is still happening.

Stop the bleeding. Now that the pros have assessed the scope of the problem, take the infected computers offline. Investigators will take a digital snapshot of the information on them, leaving you free to erase their contents. Also, block all access to and from any of the Internet addresses associated with the malware.

It's also important to figure out how the hacker broke in, and to fix that hole. Again, experts can look through log files and trace the hacker's movements to, say, find the email with the fake spreadsheet that an unsuspecting employee opened.

Find out what they stole. This will be slow and frustrating, but it's important to get right--so don't take shortcuts, and resist the temptation to call off the hunt too early.

If companies aren't thorough in their analysis, they'll have to disclose that a breach was bigger than they originally said. This can hurt a company that's trying to rebuild trust with a customer base, as was the case with TJX Companies Inc., which eventually said it lost more than double the number of records it initially announced in the breach it disclosed in January 2007. (A TJX spokeswoman declined to comment.)

"I always say correctly is better than quickly," says Brian Lapidus, the chief operating officer of Kroll Inc.'s fraud-solutions division.

Figure out whom to tell. This is when you bring in the lawyers.

Forty-six states have laws that specify when a company has to inform people whose records have been exposed in a data breach. And they're all different. Other entities, such as the federal Department of Health and Human Services, have separate reporting requirements for organizations they oversee.

Usually, if the data stolen include a name and something like a credit-card or Social Security number, then notification laws are triggered. But sometimes if the data are encrypted or there's a strong reason to believe that the information won't be misused, there's no need to tell anyone. In other cases, credit-card data could be so old that all the cards would have expired.

"Sometimes it's pretty clear that the data is not likely to be misused or the data doesn't meet the notification requirements," says Ms. Nugent, the breach lawyer.

Deciding whether to disclose a breach isn't just a matter of law. Sometimes companies do it because they're afraid it will get out or just because they think it's the right thing to do.

Email marketing firm Epsilon Data Management LLC, a division of Alliance Data Systems Corp., earlier this year said that email addresses it manages for companies like Target Corp. were stolen by a hacker. The company wasn't legally obligated to disclose the breach because email addresses aren't considered personal information. But Epsilon CEO Bryan Kennedy concluded that the news would get out anyway and that coming clean was in the best interest of Epsilon's customers.

Be Apologetic. You probably feel like a victim, but remember, so do the people whose information was stolen. And in their minds, it's your fault.

Remember also that your customers will probably expect the worst when they get the news about the breach. "Consumers tend to jump immediately from a data breach to identity theft," says Matthew Mors, a vice president at Mix Public Relations who has helped craft the response to many breaches.

So, while your lawyer will probably tell you not to apologize, striking a conciliatory tone is important. A good breach-notification letter will make it clear that you are taking the issue seriously and that you've gotten to the bottom of it. Also, be sure to stress that you have taken steps to make sure that something like this doesn't happen again.

Some people will still be concerned, so set up a website with more information and give them a phone number they can call. In some cases, businesses offer customers a year of free credit monitoring after a breach. An increasingly common freebie is credit-restoration services for anyone who runs into problems as the result of a breach.

Mr. Worthen is a staff reporter in The Wall Street Journal's San Francisco bureau. He can be reached at ben.worthen@wsj.com.