In this episode of A Little Privacy, Please!, we interview Fran Malloy, a seasoned cybersecurity leader currently serving as a technical lead at IBM. Fran recounts his firsthand experience managing a large-scale data cybersecurity breach during his tenure as Director of IT, Operations Support, and Risk Management at a leading North American retail company. This candid conversation explores the real-world impact of cybersecurity incidents, including breach detection, crisis response, and legal challenges, offering valuable lessons for IT leaders, risk managers, and privacy professionals.
Can you walk us through the cybersecurity breach and how it unfolded?
It was July 4th weekend in 2016, and I got a call from the CIO saying that Brian Krebs had contacted us. Brian Krebs is a forensics journalist with a well-known website. After bringing in a forensics investigator, outside counsel, and others, it took a couple of weeks, but we discovered malware on 298 of our 325 stores. It had been capturing credit card data for about six months.
It all started with a phishing attack that one of our merchants responded to around Christmas time. From that point, we had meetings three times a day with outside counsel, our chief legal officer, and the forensic investigator. Everything was verbal. I was working 14-hour days for weeks—it was incredibly nerve-wracking.
Looking back, do you think companies are better prepared for breaches today? What was going through your mind when you got that initial call?
That's a really good question because I was responsible for everything—if a store was down due to a network issue or if the distribution center couldn’t print. So having a security issue was really nerve-wracking. You don’t even know for sure if you have a problem for at least two weeks.
During that time, you go through a lot of emotions. You're wondering, “Am I going to lose my job?” and “What should I be saying—or not saying—to people?” We relied heavily on legal counsel. We had to involve quite a few people, but we also limited who knew we were investigating a credit card breach. That was intentional, because we ended up facing a lawsuit.
Did your organization have a cybersecurity incident response plan—and how well did it work during the breach?
Back then, our plan was basically: get the CIO, CFO, chief legal counsel, and IT folks together and decide what to do next—which really isn’t a plan. I’m much more qualified now to put a proper plan together.
There are so many things to figure out. You need to work with different teams—like public relations, possibly hire an outside PR firm to notify customers, and bring in legal experts who know when and how to notify states like Rhode Island or California. You also need to notify your employees.
So yes, with the right consultants or teams, you can build a solid incident response plan. But one of the most important things I learned is that you must know who’s going to make decisions.
Looking back, what would you have done differently to prepare for or prevent the data breach?
There are a lot of things I’d do differently—some to prepare, some to prevent. For example, this was a credit card breach, so we had to deal with banks and their forensic investigators. We had cyber insurance, but policies today are written very differently than they were in 2016. You might need to notify them at different phases or involve their staff in the investigation.
One thing I really wish I had known was that I’d get a subpoena and have to appear in a deposition. I was under attorney-client privilege, and there were things I could and couldn’t say. If I had known what that process would be like, which wasn’t fun, I would have prepared for it much differently.
