Download your Customer Notice Template

Download the Equifax Lessons Learned Breach Article

You have likely heard about the recent Equifax data breach, as this unfortunate event affects approximately 44% of Americans. SBS would like to provide you with a summary of the breach details, lessons learned, and response procedures.

Breach Details

The current information being published suggests that sensitive data belonging to 143 million consumers has been breached. The leaked information may include:

• Consumer Names
• Social Security Numbers
• Birthdates
• Addresses
• Driver’s License Numbers

Additionally, the following information may have also been exposed:

• 209,000 credit cards
• 182,000 consumer dispute documents containing personal information

Lessons Learned

Below are suggested lessons learned from the Equifax breach that will help ensure your institution has the proper controls implemented that would reduce the likeliness your institution would be compromised from similar types of cyber-attacks.

• External Penetration Testing – It is suspected that an externally facing web application was compromised in the Equifax breach. At a minimum, an annual penetration test should be done on externally facing systems to identify vulnerabilities and examine how they may be exploited. A component of this assessment must include a Web Application Assessment, to ensure the unique vulnerabilities in complex web applications are identified and tested. Click here for a custom quote on your next penetration test.
   
• Include Credit Bureaus in Vendor Management Program – If you are sending information to a credit bureau they should be included into your vendor management program. This will help encourage accountability in these relationships and demonstrates your efforts to protect the safety and soundness of your customer data.
   
• Risk assess all critical applications, specifically externally facing web applications and open-source software. This will help ensure your systems have adequate controls in place to secure them at a level that meets your risk appetite. These controls could include independent testing, patch management, vendor management, encryption, and intrusion prevention.

Response Procedures

Equifax has set up a website (https://www.equifaxsecurity2017.com) to check if you have been affected and sign up for one (1) year of free Credit Monitoring.

SBS would suggest that you follow your current incident response plan and notify customers as prescribed. Regarding legal requirements for customer notification, SBS suggests discussing the situation with your legal team, as this can differ by state. Regardless, SBS suggests an informational notice would add value for your customers. This notice should suggest, at a minimum, the following actions:

• Monitor your bank account and credit report information
• Place a fraud alert on your credit reports (https://www.consumer.ftc.gov/articles/0275-place-fraud-alert)
• Place a credit freeze on your credit reports (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)
• Investigating other credit monitoring services such as:
  • Credit Karma - https://www.creditkarma.com
  • Credit Sesame - https://www.creditsesame.com
  • LifeLock - https://www.lifelock.com

Additional SBS Resources:

• {Article} Equifax Lessons Learned Breach Article
• {Blog Post} Equifax Data Breach Overview, Lesson Learned, and Response Procedures
• {Education} Certified Banking Incident Handler Certification
• {Download} Customer Notification
• {Additional Resource} Krebs on Security
• {Quote} Request a quote for a Comprehensive Network Security Audit or KnowBe4