One of the Most Impactful Breaches to Date
It’s important to know, that the details of most data breaches change over time, especially during an active investigation, usually for the worse. And it is possible things could get worse for Equifax. Here is what is currently being reported:
Sensitive data belonging to 145.5 (updated as of October 6th to include an additional 2.5 million identities) million consumers has been breached. The leaked information may include:
- Consumer Names
- Social Security Numbers
- Driver’s License Numbers (in some cases)
Additionally, the following information may have also been exposed:
- 209,000 credit cards
- 182,000 consumer dispute documents containing personal information.
This is a considerable number of records, and to add insult to injury; it’s pretty rich data compared to other breaches. This information would be prime data to conduct identity theft and will bring a premium on the dark web. This data is valuable to open new lines of credit under your name, commit tax fraud, or create an identity similar to yours and commit crimes. In addition to the issues related to the loss of this sensitive data, many other things have gone wrong with this breach and the process Equifax has taken to address it.
The Equifax Breach – What Happened?
Let’s start with what we know about the breach. The following are all great examples of what NOT to do in a data breach scenario.
Equifax announced on September 7th that they have been investigating “unauthorized access” to a web application system that it identified July 29th. This authorized access could have started mid-May through July and was made possible because of a software vulnerability in an open-source software program called Apache Struts, which is a programming framework for building web applications in Java. It reported that most Fortune 100 companies leverage this software. Equifax has recently announced that the breach was related to a vulnerability that was publicly announced in March. This concerns many experts suspicious that the breach was a result of slow patch management patches and not an unknown zero-day vulnerability.
It is also reported that three executives at Equifax, including its Chief Financial Officer, President of U.S. Information Solutions, and President of Workforce Solutions, collectively sold shares and exercised stock options totaling approximately $1.8 million before August 2. The Senate Finance Committee wants details on these three individuals to determine if they had knowledge of the security breach being investigated prior to selling their stock. Whether or not they did, the claims of insider trading surely don’t look favorable for Equifax.
On September 15th, Equifax reported that two other executives, their Chief Information Officers and Chief Security Officer will be retiring, immediately. These positions will be filled by other internal team members. On September 26th, the CEO of Equifax – Richard Smith – also retired amid the fallout of the breach. Ex-CEO Smith provided testimony to a US Congressional Committee regarding the breach and how the events that ultimately led to the breach transpired. While Smith took responsibility for the hack, he blamed one single individual who was tasked with responsibility for patch management and the software that was vulnerable. Equifax’s patch management process was found to be lacking, and it was discovered that much of its confidential customer information was stored in plaintext..
In response to the breach and massive public concern over the lost consumer data, Equifax has setup a website to help people understand details of the breach and take next steps. The website was given a new domain name, which has sparked additional criticism as the URL looks like a phishing site: https://www.equifaxsecurity2017.com. On their website, they provide you a way to check if you were one of the 143 million affected Americans. According to an article by Brian Krebs, this site does not appear to be producing reliable information. In some cases, it says a particular person is not affected, but when the same data is provided a second time, it would report that same consumer is affected. To check your breach-status, you are asked to provide your last name and last 6 digits of your social security number. Providing parts of your SSN on a website that looks phishy to a company that was just breached – and already has your data anyhow – doesn’t seem like a great idea.
If you do check Equifax’s site to determine your status, you can automatically enroll in Equifax’s TrustedID Premier which is their credit monitoring service and identify theft protection. This service is free for a year, but there is a cost for you to continue the coverage beyond the next 12 months. Initially, it also had a clause in their terms and conditions that limited a consumer’s ability to litigate against Equifax. The company has since made adjustments to these terms, and the website now reads, “We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action.”
Also, Equifax has adopted an insecure practice for issuing PIN numbers that allowed you to manage your credit freeze. It is reported that these pin numbers were generated in a non-random and apparently sequential method; based on the current date/time stamp. This insecure PIN practice appears to have been updated, according to their website. Those who already have a PIN should ensure it is changed to a more secure number that can’t be easily brute-forced or guessed.
Last but not least, at least 23 class action lawsuits have been proposed against Equifax. These lawsuits allege security negligence by Equifax, damages from a delay in notification the public, and concerns around the free credit monitoring service offered which is a service owned by Equifax and perceivably done to sell its service to those affected by this breach.
Regardless of the issues in this particular data breach, there is value in examining what went wrong so that we can all learn and improve our own processes to protect against cybercrime. As we learned from the WannaCry Ransomware worm, patching our systems is critical. In this case, there is the possibility that an externally facing web application system was not fully patched and could have allowed the cybercriminals access to the sensitive data. Given the rate at which vulnerabilities are detected and exploited by hackers, patching cycles need to get shorter so that security gaps are closed in days or weeks, not months.
External Web Application Testing
It has been a best practice for years to ensure your institution has an annual independent Penetration Test conducted on its externally facing systems. In this case, such an assessment might have identified that a vulnerable webserver was exposed to the internet. It’s a vital auditing process to ensure your institution is truly implementing a strong patch management program. In addition to the standard External Penetration Test, is has become essential to ensure the testing process includes a Web Application Assessment. This assessment uses special tools that focus on identifying and exploiting vulnerabilities in the actual web application itself, such as insecure code, not just focusing on the networking and services layer that a traditional penetration test does.
In addition to these two external assessments, it is also a best practice to conduct an independent internal Vulnerability Assessment of your network. A Vulnerability Assessment (VA) provides another layer of security in detecting missing security updates, insecure or default security settings, or other vulnerabilities. It has also become a common practice to conduct regular vulnerability scans using a Continual Vulnerability Assessment process. Most Vulnerability Assessment software is fairly affordable and can be easily configured to run a weekly or month scan of your network to give you a more frequent snapshot of its security health.
Asset-Based Risk Assessment
Systems similar to this suspected vulnerable web application system should have been evaluated in an IT Risk Assessment. An IT Risk Assessment should capture the value of the system and the data it stores, transmits, and processes, as well as threats against the asset or analyzed, and current risk-mitigating controls implemented. This would have allowed for a risk assessment of the system and a comparison against the institution’s risk appetite. If the risk was outside the institution’s risk tolerance, then additional security controls could have been added. Many things from patch management, intrusion prevention, encryption, system hardening, network segregation, SIEM, and other control considerations could be selected to manage and mitigate the risk.
Improve Vendor Management
There has been a debate in the past if you should include your credit bureau in your vendor management program or not. SBS would suggest that if you are publishing data to a credit bureau, you include the credit bureau in your vendor risk assessment, scoring them appropriately and following your standard process according to the appropriate vendor’s risk level. They may not be a critical vendor but having customer data would likely mean you are requesting SOC 2 reports and evaluating if adequate controls are in place.
Incident Response Program
This is also an ideal time to take a look at your own institution’s incident response procedures. While this type of incident might not require you to notify your customers, it does pose a good question: Should we notify customers proactively as an advisor, to help them be prepared for potential fraud and identify theft? Other considerations could include: template notifications, designated public relations person, offering for credit monitoring (or alternative solution), procedures for incident investigation, and forensic resources.
Incident Response Next Steps
As an institution, if you have decided to share information with your customers about the breach, what should you communicate? The process Equifax is currently suggesting might not be the most beneficial for those affected long-term. The good news is there are lots of alternative suggestions to consider in addition to or in replacement of Equifax’s suggestions.
Here is what Equifax is suggesting on their new website to protect yourself:
Brian Krebs has suggested that there is limited value in the results of the website tool that checks if you were affected or not. It is better, particularly in this day-and-age where data breaches occur regularly, to assume your data has been breached, regardless of the Equifax website results. There is probably no harm, however, in using the free service provided by Equifax, given the fact they are no longer taking your legal right away to litigate against them and that you will not be automatically opted into the paid-for solution a year from now then the free coverage expires.
Krebs makes some good points in a recent Q&A post about the Equifax breach, suggesting all of these services are just detection tools. Once they find fraud on your credit report, it’s too late. You will be stuck cleaning up the situation. To really protect yourself from identify theft and fraud, you should place the security freeze (also known as credit freeze) on your account with each of the 4 credit bureaus. This will make getting new credit cards, loans, and mortgages harder in the future, as you would need to temporarily thaw your credit to get approved. For more information on how a security freeze works, check out this article from Brian Krebs, which is full of useful information: https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
Also, if you have concerns about the effectiveness or intentions behind the TrustID solution provided Equifax, there are other monitoring solutions out there you can suggest to your customers, such as:
The Equifax breach is a very significant breach – perhaps one of the most impactful breaches thus far - and it will have a large-scale impact on millions of Americans. It might be easy to just dismiss this story and move on with life, but we want to encourage you to stop and consider how you can learn from this scenario and improve your own organization, as well as how you might help protect your customers and communicate information in the future. Breaches will continue to be a regular occurrence, and we can’t stand idle and do nothing. Learning from someone else’s mistakes are the cheapest lessons to learn.
Written by: Chad Knutson
Partner, President of the SBS Institute - SBS CyberSecurity, LLC
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.