Companies must respond to data breaches properly to limit the damage. Unfortunately, Equifax did not.
There have been some very high-profile data breaches in the last few years, but the latest disaster to hit the headlines concerns one of the largest credit bureaus in the United States. It’s estimated that the Equifax data breach exposed 143 million consumers, with cybercriminals accessing birth dates, addresses, and even Social Security, credit card and driver’s license numbers, making it one of the worst corporate data breaches ever.
The global average cost of a data breach is $3.62 million, according to the Ponemon Institute, which also estimates the average cost for each lost or stolen record containing sensitive data at $141. But mishandle a breach and that cost can rise. The lax security that led to a breach of this magnitude must be investigated, but in the immediate aftermath of an attack like this, how a company responds is crucial in limiting the damage.
Unfortunately, to say Equifax responded poorly would be an understatement.
Any company that suffers a data breach has a duty to those affected to inform them quickly. Equifax claims it learned about the breach at the end of July. It took around six weeks to disclose it. During that time three senior executives sold shares, according to Bloomberg, which has prompted an investigation by a New York law firm. Questionable trading aside, at the very least you would assume that Equifax might have used the time to plan a response and create a system to allow its customers to check whether their data was exposed. Instead, it announced the sudden retirement of its CEO.
Misdirecting potential victims
Naturally, the first thing people want to do when they hear about a breach like this is to check whether their data was accessed. Instead of building pages on its main, trusted website to allow people to check, Equifax directed potential victims to a new domain – equifaxsecurity2017.com – which was bug-ridden and flagged by some browsers as a phishing threat.
Equifax asked people to enter the last six digits of their Social Security number in order to check if their data had been exposed. Some people entered their information via computer and were told they were unaffected, but got a different answer about exposure when they logged in from a smartphone with the same details, according to KrebsonSecurity.
Even if this site had worked properly, the reason why creating a separate domain is a bad idea became obvious when the official Equifax Twitter account mistakenly and repeatedly directed people to a phishing link instead of its own site. Luckily for Equifax the securityequifax2017.com site had been set up by software engineer, Nick Sweeting, as proof of how easy it is for cybercriminals to set up phishing scams. It got 200,000 hits before he took it down.
Head in the sand
The attackers gained access to the Equifax system by exploiting a vulnerability in the Apache Struts web-application, which is widely used in the enterprise. The thing is, that bug had been disclosed back in March and a patch to fix it was available. Equifax had ample opportunity to update, it was aware of the patch, and yet several months later it had still not managed to successfully apply it.
It later transpired that Equifax had also suffered a breach back in March, though the company did not share any details on what, if any, data was exposed. It’s unclear if there’s any link between the two incidents, but the first attack should have been a warning signal. Although, it should be obvious that a credit bureau holding all the data cybercriminals need for lucrative identity theft is always going to be a major target.
Looking for a silver lining?
They say every cloud has one, but it’s not easy to find one here for the millions of Americans whose data has not been properly protected. What’s so galling about the Equifax breach is how avoidable it was.
Security isn’t arcane knowledge, simply applying NIST’s Cybersecurity Framework could have prevented this. And to exacerbate the situation by delaying and then misdirecting potential victims shows a staggering lack of care. An investigation by the Federal Trade Commission is underway. And deservedly so.