The massive Equifax data breach is the latest cybersecurity incident in the ongoing struggle against threat actors. With 143 million consumers, or roughly half of the US population, potentially affected, this is one of the most threatening financial breaches in American history.
By now, we know cyber criminals seized names, Social Security numbers, birth dates, addresses and even some driver’s license information. We also know they gained entrance through a vulnerability on a web application server between May and July of this year. A security patch was released by Apache Struts, the web application software vendor used by Equifax, in March 2017. It took Equifax until July 29 to discover the breach; they disclosed it publicly on September 7.
We sat down with BARR’s Director of Cyber Risk Consulting, Mitch Evans, for his take on the situation.
A breach of this magnitude is becoming too common. However, Equifax’s primary business model relies upon its ability to manage our most sensitive information. The volume of Social Security numbers stolen is extremely troubling in that a consumer cannot change their number like a compromised password or credit card. We should all assume somebody already has our personal information, but this breach is unique in that Social Security numbers can be added to a mounting database of other breaches to create more detailed profiles for the hacker network.
Equifax provides information regarding our financial reliability as consumers. Unfortunately, they allowed a breach of the exact data that, if compromised, could impact our abilities to obtain credit for the basic needs of life, such as a home, a car, and education.
I immediately want to know what types of data and systems the attackers were targeting. The initial compromise is usually the tip of the iceberg. Due diligence should be done to determine if other areas of the organization were exploited. Additionally, was the attack targeting an enterprise, a government agency or employees? What data did they actually obtain? What facts do we have about the overall scope of the breach?
Then I’m hoping to see a strategy on how the responsible organization is addressing the issue, such as notifying affected humans and organizations, shutting down the entrance used by attackers, and other steps taken to mitigate the effects of the attack.
The most important lesson should be from the financial institutions and other vendors that rely on Equifax to provide data used in lending decisions. These organizations should be hyper vigilant in implementing additional controls over vendors that are storing and processing sensitive information.
As a cybersecurity professional, I hope this serves as a wakeup call to all businesses. Just because another organization is handling a service for your company – and you may have robust controls and security mechanisms in place – does not mean your partners and vendors operate in the same manner. This is where a robust vendor management process should be implemented, including pre-engagement vetting and continuous monitoring of existing third-party relationships, specifically regarding data security.
The unfortunate reality is all companies should be operating as if a data breach is inevitable. The question is: How will you prepare and respond when the inevitable happens? Equifax’s disorderly and inadequate response indicates a lack of preparation. In today’s environment, every company should have a plan.
BARR has developed and assisted countless organizations with implementing a robust vendor management program to ensure that data stored, shared with, and processed by vendors and partners is adequately protected. This includes an in-depth evaluation of security policies, specifically access control, incident management and response, and data classification and handling policies.
It’s our practice to always maintain an inventory of the types and classifications of data shared with vendors and partners. We also perform ongoing monitoring and review processes of each vendor that have access to our clients’ data.
The Equifax breach has impacted so many citizens that the general public is now aware of the catastrophic impact of cyber crimes. With this knowledge, we should all voice our concerns to our government representatives to implement additional policies necessary to protect our companies and personal data.
It’s unfortunate that these breaches adversely affect human beings; however, I do believe it makes us more aware of online threats. The more knowledgeable we are, the more vigilant we can be when sharing our personal information with organizations and people.