Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Equifax Hack: Keep Your Friends Close, but Your Supply Chain Closer

After more than 145 million customer records were compromised in the Equifax data breach, the company’s stock plummeted by more than 30 percent. That amounted to market capitalization losses north of $5 billion.

After more than 145 million customer records were compromised in the Equifax data breach, the company’s stock plummeted by more than 30 percent. That amounted to market capitalization losses north of $5 billion. The hack was one of the largest in history, and the records stolen included Social Security and driver’s license numbers.

And yet, that could be just a drop in the bucket compared to the fallout yet to come. It wasn’t just Equifax that was hacked. Suppliers to Equifax may also be at risk of compromise, which could expose the information of millions of more customers.

For instance, both Visa and MasterCard recently sent alerts to banks notifying them about 200,000 credit cards that may have also been compromised. Indeed, there’s been a spike in attempted credit card fraud this August, with a 15 percent increase year-over-year. A similar period of rampant identify theft was also observed after the Target breach of 2013, which occurred thanks to a vulnerability in a third-party supplier.

Visa and MasterCard – which both explicitly blamed Equifax – may be the first of many companies to come forward with statements that their data was also compromised in the Equifax data breach. Any company that has interacted with Equifax is at risk. 

The risk that companies inherit from their suppliers is a pervasive problem for cyber security. Dynamic supply chains are a necessity in today’s fast-paced business environment, but every new supplier expands a company’s threat surface.

Compounding the problem is the fact that companies have no oversight of the level of security of their suppliers’ networks. They have no way of monitoring the risks involved, yet cannot afford to hinder productivity.

The assessment of potential supply chain partners is often a rushed process in terms of evaluating their cyber security level, and is rarely as in-depth as it should be. In the same way that lenders use FICO credit scores to assess credit risk, companies should adopt a similar system to assess cyber risk. At the heart of this system must be the capability to monitor cyber risk continually, not just as a one-off, and adaptively, to keep pace of the changing digital environment and evolving risks.

Attacks happen every day, and a company’s adversaries can change drastically from one month to the next. So in order to make the most informed business decisions and detect supply chain risks at the earliest possible stage, we need to have complete visibility into the potential risks and threats associated with partnering with a given vendor.

Advertisement. Scroll to continue reading.

That drives to the heart of the issue – we can’t change the resilience of our suppliers against cyber-attackers directly, but we can have a transparent relationship when it comes to cyber risk. Under such a paradigm, we would be alerted to the early warning signs of cyber risk in a third-party supplier, and we would be able back out of partnership if the risk is deemed too high.

An early warning sign could involve a device beaconing out to C2 infrastructure, dormant malware quietly profiling network defenses, or a vulnerability in a company’s cloud storage practices that puts passwords and intellectual property at risk. Without visibility into these threats, companies are forced to trust their suppliers without fully understanding the risk involved.

My company recently worked with an organization hosting a major event, and we detected a device on their network beaconing to a rare external destination. Since the device in question was owned and operated by a third-party– the local police department to be exact – the organization’s network defenses failed to identify the threat. Especially when third-parties are integrated onto the network like this, threats are bound to slip through the cracks, and the Equifax hack demonstrated how easy it is for a subtle threat to develop into a debilitating data breach.

There was little Equifax’s supply chain partners could have done to prevent being potentially implicated with the data breach. However, they can get smarter about understanding the risks and vulnerabilities that each partnership entails. If they had this real-time awareness, they would have been in a better position to see and deal with the vulnerabilities at an early stage, before data was compromised. To the cost of Equifax’s 145.5 million customers and their supply chain, this was clearly not the case.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.