Download your Customer Notice Template
Download the Equifax Lessons Learned Breach Article
You have likely heard about the recent Equifax data breach, as this unfortunate event affects approximately 44% of Americans. SBS would like to provide you with a summary of the breach details, lessons learned, and response procedures.
The current information being published suggests that sensitive data belonging to 143 million consumers has been breached. The leaked information may include:
- Consumer Names
- Social Security Numbers
- Driver’s License Numbers
Additionally, the following information may have also been exposed:
- 209,000 credit cards
- 182,000 consumer dispute documents containing personal information
Below are suggested lessons learned from the Equifax breach that will help ensure your institution has the proper controls implemented that would reduce the likeliness your institution would be compromised from similar types of cyber-attacks.
- External Penetration Testing – It is suspected that an externally facing web application was compromised in the Equifax breach. At a minimum, an annual penetration test should be done on externally facing systems to identify vulnerabilities and examine how they may be exploited. A component of this assessment must include a Web Application Assessment, to ensure the unique vulnerabilities in complex web applications are identified and tested. Click here for a custom quote on your next penetration test.
- Include Credit Bureaus in Vendor Management Program – If you are sending information to a credit bureau they should be included into your vendor management program. This will help encourage accountability in these relationships and demonstrates your efforts to protect the safety and soundness of your customer data.
- Risk assess all critical applications, specifically externally facing web applications and open-source software. This will help ensure your systems have adequate controls in place to secure them at a level that meets your risk appetite. These controls could include independent testing, patch management, vendor management, encryption, and intrusion prevention.
Equifax has set up a website (https://www.equifaxsecurity2017.com) to check if you have been affected and sign up for one (1) year of free Credit Monitoring.
SBS would suggest that you follow your current incident response plan and notify customers as prescribed. Regarding legal requirements for customer notification, SBS suggests discussing the situation with your legal team, as this can differ by state. Regardless, SBS suggests an informational notice would add value for your customers. This notice should suggest, at a minimum, the following actions:
Additional SBS Resources:
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.