One year after the Equifax breach, an inclusive report was released recently by the U.S. General Accounting Office (GAO) that conducted an assessment on exactly how the infamous Equifax Data Breach was executed. The breach that occurred resulted in the exposure of at least 145.5 million individuals’ personal information. The new report goes into detail on how Equifax and privacy-related organizations are trying to focus on implementing change into this area, but are these new measures enough to prevent future breaches and gain back the confidence of users?
What do we know?
A quick recap from the report states that on September 7, 2017, Equifax released to the public that it was breached six weeks earlier, and the records that were exposed included individuals’ driver’s licenses, credit-card numbers, social security numbers, phone numbers, and email addresses. The lack of patching on an out-of-date internet-facing webserver was the root cause of the breach, which was not detected for 76 days.
What are the facts from the Report?
The report states that the long period of un-detection allowed the attackers free reign over the Equifax network where nearly 9,000 request-based activities were found amongst the server logs. The company’s internal and external monitoring systems had seemed to fail at detecting any suspicious activity. Evidence from IT department states the detection systems were not working correctly for at least ten months. Without any form of successful monitoring in place, the attackers gained access to the database where unencrypted credentials were found to further explore Equifax’s internal networks. Equifax’s investigation of the breach identified four major factors including identification, detection, segmenting of access to databases, and data governance that allowed the attacker to successfully gain access to its network and extract information from databases containing personally identifiable information.
What was the impact?
The original impact initiated an FBI review, Congressional hearing, and consent orders from multiple banking regulators that resulted in the Equifax stock dropping substantially. The Equifax CEO Richard Smith, at the time of breach, testified before U.S. Congress in four separate hearings, repeatedly blamed the breach on a single employee who failed to update the software on the web server. Banking consent orders were issued by major banks against Equifax requiring security improvement, auditing, and reporting. The breach resulted in two criminal charges being imposed against those involved in insider trading against the company’s former chief information officer, Jun Ying, and against a company software developer for allegedly selling stock while knowing of the breach before it was made public.
“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information,” U.S. Senator Elizabeth Warren, a Massachusetts Democrat who requested the report, said in a statement.
What is being done?
The Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS), all federal customer agencies that use Equifax’s identity verification services, conducted assessments of the company’s security controls which identified a number of lower-level technical concerns that Equifax was directed to address. All agencies involved have included clauses into their new contracts to modify notification requirements for future data breaches. The company has said to spend an additional $200 million in security and technology, but did not provide any details on previous security spending . Equifax has supposedly hired external cybersecurity consultants to do a complete overhaul of their security policy and controls.
“We have enhanced our leadership team to include some of the most experienced cybersecurity and technology professionals in the industry, notably new Chief Information Security Officer Jamil Farshchi and Chief Technology Officer Bryson Koehler,” the spokeswoman for Equifax said.
Successful testing of preventative measures can still be difficult, but achievable for companies such as Equifax through the use of knowledgeable cybersecurity experts. Pressure from the public has proven successful with new individual privacy rights being implemented. In the U.S., many states such as California, Alabama, and North Dakota are passing laws forcing notification about reporting breaches with penalties and significant fines for delays. In Canada, a new breach reporting law is finally coming into effect on November 1, 2018 that could force organizations to follow strict guidelines in reporting breaches.
Contact us so we can come up with a plan together that meets your individual needs. Our certified security professionals can adjust their methodology and plan dynamically as the attack surface expands to find vulnerable components presented to them before a potential attacker can, resulting in a comprehensive security solution.