The headline-making Equifax data breach was one of the worst ever. Equifax exposed approximately 143 million consumers, but did not notify any of them. This data breach exposed vital information, such as driver’s license, credit cards, social security numbers, addresses, and birth dates.
According to the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, the global average cost of data breaches is approximately $3.62 million. What led to this massive data breach with Equifax and what can cannabis businesses learn from this?
1. Keep a tight lid
The lax security within Equifax is the main culprit. It is imperative that a thorough investigation be conducted into this security breach. What is even more crucial is how Equifax responded in the aftermath. To say that Equifax responded less than satisfactory is putting it nicely.
2. Don’t delay disclosure
While it may not be easy, any company that suffers a cyberattack has a duty to all of those who are affected to alert them immediately. While Equifax claims that it only learned about the breach at the end of July 2017, it took the company approximately six weeks to disclose this information. Interestingly, according to Bloomberg, during those six weeks, three senior executives quickly sold shares. (A New York law firm is currently investigating this incident for questionable trading.) At the very least, it would seem only logical for Equifax to have made the wisest use of their time and strategize a proper response. It would only be rational to expect Equifax to create some kind of system for a customer to check if their information was exposed. What happened instead was an announcement of the CEO’s retirement.
Cannabis businesses already have a lot of negative biases working against them from various industries and institutions. While there has been a lot of progress, there is still a lot of room for improvement, starting with the banking system. But that’s another topic for another time. The point is not to procrastinate or wait to disclose if your business suffered a breach.
3. Don’t misdirect potential victims
The first thing anyone would want to do upon hearing about a cyberattack or data breach is to check and see if their information was exposed. Instead of creating pages on the main Equifax trusted website, in order to allow consumers to check, the company directed people to a heavily bug-ridden domain – equifaxsecurity2017.com. The company expected consumers to enter the last six digits of their social security number. According to Krebs on Security, when some entered their social security number via their desktop or laptop, they were told that their accounts were not affected. (A New York Times reporter learned that any made up SS number would produce the same result.) These very same people received a different answer when logging in from a cell phone. Even if this secondary domain had been in perfect working order, it was still a bad idea.
Meanwhile the official Equifax Twitter account repeatedly and mistakenly sent people to a fake phishing link (securityequifax2017). The fake site was a spoof set up by a software engineer, Nick Sweeting, just to show how easy it was to fool people.
In the event of a cyberattack or data breach, make something available for your customers to check to see if their information was exposed on your main site; don’t confuse them with a secondary domain they’ve never seen before. It doesn’t help things and it makes it super easy for cyber attackers to set up a site to deceive your customers.
4. Don’t keep your head in the sand
The cyber attackers gained access to the Equifax system through a widely used web application, Apache Struts. This vulnerability had been disclosed way back in March, and there was even a patch available to fix it. There certainly was plenty of enough time to make disclosure and create an update. However, several months down the road, this problem still had not been resolved. Equifax had suffered another data breach in March, however it did not give any information on the incident. Right now, there isn’t any clear link between the two breaches. The fact remains that Equifax should have taken the first attack as a warning sign. It should be obvious to anyone that a large corporate credit bureau like Equifax, holding massive amounts of data, will always be a target. Cannabis businesses want to be sure that they are not keeping their heads in the sand, so to speak.
Is there a silver lining?
The saying goes that every cloud has a silver lining, but it may not be that easy to find it in this instance. Over 143 million consumers have been breached. The worst part is that Equifax could have easily avoided it. By simply applying NIST’s Cybersecurity Framework, Equifax could have protected their data. By misdirecting and delaying disclosure, we can see that there is definitely an alarming lack of care and concern. Another investigation is underway by the Federal Trade Commission. Security is serious business. This is where cannabis firms want to take heed and learn.