March 4, 2020: It’s an anniversary, but not one for celebrating. A year ago, Brian McLaughlin learned that end-clients’ sensitive personal information, held by his software company, Redtail Technology, had been discovered on the open internet.
On the night of March 3, 2019, Kathryn Duryea, a lawyer and trust officer, stumbled across her name, Social Security number and other sensitive personal information in a Google search. Her phone call to Redtail the next day set off a chain of events that sent the Sacramento, Calif.-based customer relationship management software developer scrambling to figure out what went wrong and how to fix it.
Data breaches can be particularly devastating for tech companies, and have affected businesses large and small, from massive asset managers, like BlackRock, to data-centric financial service support companies, like Capital Forensics. Half of small- and medium-sized businesses have been victims of cyberattacks and “over 60 percent of those attacked go out of business,” according to 2015 testimony to Congress by Dr. Jane LeClair, COO of the National Cybersecurity Institute, a Washington, D.C.-based academic and research center associated with Excelsior College.
But a year after the breach, McLaughlin has used the crisis as an opportunity to make top-to-bottom changes in the business he bootstrapped more than a decade ago. In an exclusive interview with WealthManagement.com, Redtail’s CEO described how the data breach affected his personal outlook on cybersecurity and shared the changes his firm has made as it addressed the root problems behind the breach discovered by Duryea.
After learning of the breach, McLaughlin’s first steps were simply to get the information off the open internet, or “plugging the hole,” as he put it. “Once you identify where [the breach] is, you can shut things down.”
What took time after removing the data from the open internet was identifying the extent of the breach. In an effort to avoid unnecessarily panicking end-clients or advisors who weren’t affected, Redtail wanted a clear picture of who was affected. To ascertain this, the firm had to build a new set of tools to troubleshoot its own system and conclusively identify the extent of those affected by the breach. But, in doing so, the speed of updates on the data breach slowed to a crawl, drawing criticism from Duryea, who ended up moving her investments to a new advisor, and sowed confusion among advisors.
Behind the scenes, the company had to navigate both state-by-state data breach notification laws and balance timely and responsible communication about the incident—a task made more difficult because some advisors wanted to notify their own clients directly—while others preferred that Redtail disclose the breach.
“In our industry, you have multi-tiered organizations of who is responsible and owns the data,” McLaughlin said. “There’s a lot of communication that has to happen to get everybody looped in and get them informed.
“It slows down this process,” he said.
On top of these many factors, there is no federal guideline that makes distributing data breach notifications a smooth process, thus the fall back to following the state-by-state patchwork for notifying individuals.
“Each one is so different that it requires a specialist to understand it all,” McLaughlin said of state regulations and notification procedures. “It would be nice if there were some basic guidelines—there are when it comes to language of the [breach notification] letter…but there’s nothing for the prep work leading up to that. That was a big slow down.”
Despite the factors limiting Redtail’s communication and speed, the firm had the right approach, said Steve Weisman, an attorney and professor of law, taxation and financial planning at Bentley University in Waltham, Mass. “This data breach was one where data was released by [Redtail]. They weren’t attacked, but it is still a data breach and people have to recognize that,” he said.
“But other than that, to me what it looked like was a company that responded responsibly,” he continued.
“That is just so key to maintaining your brand, maintaining your reputation, letting your customers, your clients, know that you value them and [that] you’re doing your best.”
“People like that,” Weisman said.
The way the state-by-state notification standards hamstrung Redtail’s effort to notify clients in a timely manner didn’t surprise Weisman. “This is one of my big, big complaints,” he said, of the lack of overarching guidelines currently in place.
Having guidelines, standards and regulations that vary by industry, regulator, and on a state and national level make the provision of notifications into a complicated and costly process. Federal data breach notification guidelines “should be so, so easy to get through Congress—so elemental. I can’t think of a reason why Congress has been, quite frankly, so negligent in not establishing legitimate national standards and a way of helping people in a more streamlined fashion,” said Weisman.
While the notification process proved difficult, figuring out what caused the breach wasn’t as complicated.
Ultimately, it came down to human error, said McLaughlin. “It wasn’t egregious. It wasn’t intended to harm,” he explained. “It was an honest mistake.” In its breach notification, Redtail characterized the incident as a “temporary exposure” of personal data that occurred when its “logging systems inadvertently captured a small subset of personal information that we store for advisors and retained the data in a debug log file that was accessible to Internet users.” For those unfamiliar, in the most general terms, a debug log file is simply the capturing of data on a process running in software or a program, which can later be reviewed to better understand how that program or process is performing..
There was also an element of bad luck involved in the breach. In 2019 Redtail was already beginning to migrate its data processes into the cloud. If that process had already been completed, McLaughlin predicted that the “human factor” would have been minimized in a way that lessened the likelihood of a breach. The human element of configuring servers and making changes around the clock opens the door to data incidents like the one Redtail experienced, he explained.
While transitioning to a cloud environment puts data security at least partially in the hands of large tech firms like Amazon, Microsoft, Google and others, the question of whether security is better in that environment has yet to be conclusively answered, said Florian Kerschbaum, director of the Waterloo Cybersecurity and Privacy Institute and a computer science professor at the University of Waterloo.
While cloud computing services are supposed to come with experienced security administrators that know how to apply patches and maintain a secure environment, cloud environments also present a tantalizing target for bad actors, he said. Is migrating to the cloud a better solution to cybersecurity than a tech firm with a dedicated datacenter? “We don’t know yet,” he concluded. “The verdict is still out.”
But cloud computing is just one piece of the cybersecurity infrastructure McLaughlin has added over the last year. Redtail changed its security practices and the guidelines around its code review processes and implemented new training from an online provider of cybersecurity education. It installed its own global threat dashboard to detect and mitigate service disruptions from outside attackers and it’s using more automated tools to do daily, not quarterly or monthly, scans of its systems.
One of the biggest changes is that Redtail now has a group of employees dedicated to security, after adding full-time cybersecurity personnel to its staff. McLaughlin also changed the way his developers work by mandating a peer review process for in-house software development. “It’s the simplest of mistakes that get you,” he said.
The changes haven’t been free, but McLaughlin said he’d managed to keep the costs of the data breach under a million dollars so far. No one lost their job because of the breach, he said, but one of the employees involved in the data breach left the firm.
Data breaches don’t affect companies just in terms of dollars and cents; there was an emotional toll to the breach, too, McLaughlin said. “It wasn’t just me; it’s all the employees,” he said. “[I was] comforting them, as well, [saying], ‘Here’s what’s going on guys: this is not going to end the company. We have insurance for this. We have lawyers. We have all the tools.’”
“But it is scary,” he said. “It’s never happened to me before.”
Going forward, McLaughlin is confident that the root causes behind the data breach have been corrected. Redtail’s clients and other vendors in the wealthtech industry have been generally supportive, he said. If there were any regrets beyond the incident itself, McLaughlin said he wished his company could have more quickly notified affected individuals. Nevertheless, the CRM provider’s clients are “pretty pleased with how we handled it overall,” he said.
But the memory of the incident is in no danger of fading away.
“It was a wake-up call for a lot of developers. Somebody wrote this code that did this and somebody configured a server that did that,” said McLaughlin. “Until this hits you, it doesn’t wake you up.”