Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Equifax Hack: Keep Your Friends Close, but Your Supply Chain Closer

After more than 145 million customer records were compromised in the Equifax data breach, the company’s stock plummeted by more than 30 percent. That amounted to market capitalization losses north of $5 billion.

After more than 145 million customer records were compromised in the Equifax data breach, the company’s stock plummeted by more than 30 percent. That amounted to market capitalization losses north of $5 billion. The hack was one of the largest in history, and the records stolen included Social Security and driver’s license numbers.

And yet, that could be just a drop in the bucket compared to the fallout yet to come. It wasn’t just Equifax that was hacked. Suppliers to Equifax may also be at risk of compromise, which could expose the information of millions of more customers.

For instance, both Visa and MasterCard recently sent alerts to banks notifying them about 200,000 credit cards that may have also been compromised. Indeed, there’s been a spike in attempted credit card fraud this August, with a 15 percent increase year-over-year. A similar period of rampant identify theft was also observed after the Target breach of 2013, which occurred thanks to a vulnerability in a third-party supplier.

Visa and MasterCard – which both explicitly blamed Equifax – may be the first of many companies to come forward with statements that their data was also compromised in the Equifax data breach. Any company that has interacted with Equifax is at risk. 

The risk that companies inherit from their suppliers is a pervasive problem for cyber security. Dynamic supply chains are a necessity in today’s fast-paced business environment, but every new supplier expands a company’s threat surface.

Compounding the problem is the fact that companies have no oversight of the level of security of their suppliers’ networks. They have no way of monitoring the risks involved, yet cannot afford to hinder productivity.

The assessment of potential supply chain partners is often a rushed process in terms of evaluating their cyber security level, and is rarely as in-depth as it should be. In the same way that lenders use FICO credit scores to assess credit risk, companies should adopt a similar system to assess cyber risk. At the heart of this system must be the capability to monitor cyber risk continually, not just as a one-off, and adaptively, to keep pace of the changing digital environment and evolving risks.

Attacks happen every day, and a company’s adversaries can change drastically from one month to the next. So in order to make the most informed business decisions and detect supply chain risks at the earliest possible stage, we need to have complete visibility into the potential risks and threats associated with partnering with a given vendor.

That drives to the heart of the issue – we can’t change the resilience of our suppliers against cyber-attackers directly, but we can have a transparent relationship when it comes to cyber risk. Under such a paradigm, we would be alerted to the early warning signs of cyber risk in a third-party supplier, and we would be able back out of partnership if the risk is deemed too high.

An early warning sign could involve a device beaconing out to C2 infrastructure, dormant malware quietly profiling network defenses, or a vulnerability in a company’s cloud storage practices that puts passwords and intellectual property at risk. Without visibility into these threats, companies are forced to trust their suppliers without fully understanding the risk involved.

My company recently worked with an organization hosting a major event, and we detected a device on their network beaconing to a rare external destination. Since the device in question was owned and operated by a third-party– the local police department to be exact – the organization’s network defenses failed to identify the threat. Especially when third-parties are integrated onto the network like this, threats are bound to slip through the cracks, and the Equifax hack demonstrated how easy it is for a subtle threat to develop into a debilitating data breach.

There was little Equifax’s supply chain partners could have done to prevent being potentially implicated with the data breach. However, they can get smarter about understanding the risks and vulnerabilities that each partnership entails. If they had this real-time awareness, they would have been in a better position to see and deal with the vulnerabilities at an early stage, before data was compromised. To the cost of Equifax’s 145.5 million customers and their supply chain, this was clearly not the case.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.