News broke on Thursday that U.S. credit reporting agency Equifax suffered a massive data breach that could impact as many as 143 million customers, including people in the U.K. and Canada.
Hackers exploited a vulnerability in an unnamed website application to gain access to Equifax’s systems and data such as names, social security numbers, dates of birth, addresses, and driver’s license numbers. More than 200,000 consumers in the U.S. also had their payment card numbers compromised.
Equifax learned of the breach on July 29 and immediately started taking steps to contain the incident and assess its impact. However, many are displeased that it took the company two months to inform customers that their information was compromised.
SEC filings showed that three of the company’s executives had sold shares worth nearly $1.8 million shortly after the breach was discovered, but Equifax denied that they had knowledge of the incident when they made the decision.
Industry professionals have shared thoughts on various details of the breach, including how the company handled the incident, GDPR and other compliance aspects, and long-term implications.
And the feedback begins…
Marten Mickos, CEO, HackerOne:
“Equifax is the latest example of a company who is human. No one is perfect, and everyone is being hacked in some way or another. Financial services have always been attractive targets for criminals and this trend continues as everything goes online. It’s also not news that the cybersecurity industry is facing a severe skills shortage. Teams are typically short staffed, under funded and doing the best they can. That’s why it’s so important to open up a channel of communication with the ethical hacker community to help surface critical bugs before they are exploited.
We looked at Equifax’s website and found no easy way for hackers to disclose anything. A couple bugs have been disclosed via Open Bug Bounty, a non-profit project designed to connect hackers with website owners to resolve bugs in a transparent and open manner. One of which was disclosed for their UK website that took nearly five months to resolve, and the second for the U.S. website, which has yet to be resolved.
Equifax isn’t alone. It’s one of the 94 percent of the Forbes Global 2000 that don’t have a way for ethical hackers to disclose any bugs they find — a stark difference to the 39 percent of tech unicorns in the same position.”
Richard Henderson, global security strategist, Absolute:
“We have to expect that the fallout from this will likely be unprecedented. Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in *all* of the credit reporting agencies will be eroded.
It may be time for us to reconsider exactly how we allow companies to store all of this data. It’s clear that these mega-databases are prime targets for attack, and we may need to take a hard look at legislative changes that will force databrokers and collectors to take security up a few levels.”
Etienne Greeff, CTO and Co-Founder, SecureData:
“In response to the breach, Equifax created a website – Equifaxsecurity2017.com – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further. What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cybercriminals.
In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened. With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Nathan Wenzler, chief security strategist, AsTech:
“It should be noted, also, that this breach did not happen by the more popular social engineering style attacks such as a phishing email compromising an employee’s system or a malicious insider leaking the data, but rather, this was due to an application vulnerability in one of their websites. This is something we in the security community continue to see rising, as organizations are getting better and better at defending servers, workstations and laptops, the cyber criminals simply move on to the next easiest target, which is most commonly the organization’s web applications.
No matter what industry your company is in, it’s simply not good enough to defend internal systems alone. More and more, a comprehensive security strategy is absolutely necessary that covers education, technical security controls for servers and other assets, network security and stronger software development practices that create secure applications during development and not tacked on after the fact. Hackers will find the easiest path to steal data, and organizations must be more diligent about making security part of every aspect of their technology infrastructure and development efforts.”
Chris Pierson, CSO, Viewpost:
“Today, Equifax publicly announced that it learned of unauthorized access to its systems between mid-May and July 2017, but that intruders did not have access to its core credit reporting databases. It was noteworthy that the CEO appeared in a taped video statement to announce the breach and this is important from a governance and accountability perspective. It was less heartening that the credit monitoring sign-up process appears to be convoluted. You can check to see if you are affected, but the system does not give you a reply other than to check back in 4 days. This is a miss from an operational and reputational perspective where consumers should be able to access the free credit monitoring b
eing offered at the point in time the notice is provided.”
Eduard Goodman, global privacy officer, CyberScout:
“This incident underlies one of the key issues with the U.S. consumer credit system and centralization of credit data on Americans: We have become overly reliant on the three credit bureaus who act as the sole data ‘brokers’ and repositories of data for creditworthiness, making an exposure like this a very dangerous event.
With loss of not just SSNs but other secondary pieces of data like previous addresses, mother’s maiden name or the banking institutions with which consumers hold loans, to some degree we have exposed an entire consumer facing security ecosystem to failure since everyone from credit loan verification to online account sign ups depend on this information to help verify us all. The impact of this breach, depending upon who actually has obtained the information and how it is misused could last for a decade.”
David Emm, principal security researcher, Kaspersky Lab:
“This is yet another case of a breach becoming public long after the incident itself occurred, which underlines the need for regulation. It’s to be hoped that the GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and, secondly, notify the ICO of breaches in a timely manner.
The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before it becomes a target. Customers that entrust private information to businesses should be safe in the knowledge it is kept in a secure manner – and businesses should use security solutions to significantly mitigate the risk of a successful attack. There are also other measures that companies can take in order to provide thorough protection, which include running fully updated software, performing regular security audits and performing penetration testing.”
Tom Kellermann, CEO, Strategic Cyber Ventures:
“The credit bureaus have made mountains of money monitoring Americans credit. The cybercrime community is well aware that the bureaus house a treasure trove for data theft. It is my feeling that the majority of credit bureaus do not practice what they preach and have underinvested in cybersecurity.
Even if not victimized, we will be suffering from this breach for years to come. It is time that the government impose stringent security standards on the bureaus and correspondingly mandate the implementation of intrusion suppression architectures.”
Atiq Raza, CEO, Virsec:
“Given the frequency of major breaches it’s understandable if consumers are suffering from “breach fatigue” and not paying a lot of attention. But this breach is especially alarming and serious. Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity – birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity. It’s one thing to ask a consumer to change a password, but how do you change your birth date?
This also highlights that web applications remain a major vector of attack. Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks – we need to shift to real-time monitoring and security for web applications and all the processes that support them.”
Ross Brewer, vice president and managing director EMEA, LogRhythm:
“If anything, this is a solid reminder that even though British and European consumers may not directly deal with overseas businesses, those organisations might still hold – and ultimately lose – our personal data. This is exactly why we need the incoming EU GDPR, to hand down appropriate penalties to those US companies collecting huge amounts of highly sensitive personal data on European citizens and then not protecting it. Let’s not forget, if the ICO were to impose the highest level fine – four percent of Equifax’s turnover – it would be looking at a bill of over $100m.”
Ilia Kolochenko, CEO, Founder, High-Tech Bridge:
“It’s a very colorful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond. Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security. Most companies don’t even have an up2date application inventory. Without knowing your assets, you won’t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims for example.
Last but not least, such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims. Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen.”
Mike Shultz, CEO, Cybernance:
“The government has clearly endorsed the use of the NIST Cybersecurity Framework to strengthen enterprises from this devastating caliber of risk by focusing on people, policies, and processes. Had NIST CSF been employed by Equifax, this breach would not have happened. Further, the government provides protection for companies who use NIST and designated technology covered by SAFETY Act. These functions are in recognition of the risk to the U.S. economy from breaches just like this – this is no longer a suggestion, it is necessity.
It is the fiduciary duty of every C-suite and board of directors to act with reasonable business judgement to protect private information of consumers, and the fact that proper security measures were not set in place and consumers’ information has been held for weeks without notice means that responsibility has not been upheld. The FBI’s involvement since the breach was identified in May, and their offering of one year protection for every citizen in the U.S. also suggests that the ripple effect of this breach may be even greater than we’re aware.”
Nigel Hawthorn, chief European spokesperson, Skyhigh Networks:
“No doubt Equifax has been working feverishly behind the scenes since it found the breach in July. All busines
ses must think about the steps they would take in similar circumstances to investigate a breach, track the data lost and put together a communication plan to customers. Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.”
Kenneth Geers, senior research scientist, Comodo:
“It is ideal, if ironic, for cybercriminals to compromise the very companies that internet users rely on to safeguard their identities and finances. Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data. Even if you are not a customer, Equifax likely has a lot of data about you, and you should take proactive steps in response to this hack.
The sheer size of this breach, which spans at least the U.S., Canada, and Great Britain, may have frightened some Equifax officials into selling a portion of their company shares.
On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action. The fact that the Trustedid.com site isn’t yet working means that Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”
