I work in an industry that is under persistent risk of data breaches and leakages, so I am very conscious of the fact that no system can be absolutely foolproof against determined attackers. The key differentiator is whether the vendor has a good plan (aka a runbook) in place to deal appropriately with data breaches.
If you are one of my vendors, here's the recommended plan of action:
- Be honest. Come clean as quickly as possible so that your customers can take appropriate actions to clean up their end of things.
- Be truthful. Don't dress things up or cover them up in a feel-good rhetoric. Tell me what really happened and what I need to do to take care of business.
- Be transparent. Do communicate what you are doing and going to do to clean up this mess, and your plan to keep this from happening again. Don't overdo it, we are not family. An update every couple of days is good enough.
- Act decisively. Figure out what you need to do to fix the situation and do it quickly. Evernote's decisive action to reset all passwords is a good example.
- Apologise. We are human, you will be most likely be forgiven. A big discount for the next subscription renewal might help. Heck, think of this as a cost of marketing if you are doing it right.
- Show your customers that you don't give up! Customers like vendors who (think they) know what they are doing. Put up a good fight!
- Don't take it out on your team. After all, they have only done what you told them to do.
- Don't be too hard on yourself. You are only human. But be resolute to not make the same mistake twice. Be humble, seek advice from your peers and the experts.
- If at all possible, give each vendor a unique email address for each account. This can be a real pain even if you run your own email service. But here's one way to do it with Gmail.
- Use a different/unique password for your account with each vendor. This is a pain, but it will spare you much more pain in the long run. There are many password managers that can help ease the pain.
- Change all your passwords at least once a year. Again, a pain, but password managers may help.
- Use strong/random passwords. This is not that difficult - pick a long phrase, take the first letter from each word - there's your password. Studies have also shown that 8-character or longer passwords are much more difficult to crack than shorter ones. This is a moving target with increasing computing power, but you have to start somewhere.