As new details emerge, Equifax, the credit reporting giant, could be in for a long and drawn out aftermath after a massive data breach that affects almost half of all US citizens. Questions abound as to the company’s governance and stewardship of citizen data.
Equifax is responsible for determining credit scores based on people’s debt loads, credit repayment histories, credit availability and so on—and is one of three main companies that US financial institutions rely on to determine qualifications for mortgages and other loan approvals. Other businesses rely on Equifax too: For instance, if a landlord is deciding whether to rent to someone, he or she would very likely ask for a credit report from Equifax. Consumers work directly with Equifax directly too, ironically to detect identity theft after a breach, through the company’s credit monitoring and insurance services.
As a result, this is a company that has touched (and has sensitive financial information on) almost every adult in one of the world’s most populous countries. In all, 45% of the US population is directly affected by this incident (the total US population, including everyone from infants to centenarians, stands at 325 million).
The breach, which as we reported, consists of 143 million compromised records, saw criminals make off with names, Social Security numbers, dates of birth and physical addresses. But the fall out could be far worse than having credit card numbers stolen or dealing with phishing attempts: Credit reporting companies also have information on credit accounts including the type of account, when it was opened, the limit, and the balance and payment history, and information on consumers' address history and debt.
“With all this information, the risk of identity theft is far greater,” Marie White, president and CEO at Security Mentor, a Pacific Grove, California-based provider of security awareness training, told Infosecurity. “For example, hackers can now answer questions that are typically required to access financial accounts.”
As such, this could be one of the most significant data breaches in history.
“The size of the breach, quality and quantity of personal information, and far-reaching impact make it unprecedented,” she told Infosecurity. “Imagine if one out of every two people walking down the street dropped their credit card, along with a sticky note on the back with all their personal information needed to access that card. Now imagine that happening in every city across the county.”
Given the staggering scope of the issue, Equifax chairman and CEO Richard F. Smith’s statement seems lackluster at best. He called the incident “a disappointing event for our company, and one that strikes at the heart of who we are and what we do” and apologized to consumers and business customers “for the concern and frustration this causes”.
“While their CEO has already issued a statement, and said all of the things I would expect to come from an organization with strong leadership, this kind of loss could easily linger in the minds of customers, both commercial and private, for years to come,” Nathan Wenzler, chief security strategist at AsTech, told Infosecurity. “This will cause a huge blow to Equifax's credibility and reputation as a trustworthy reporting source for credit information.”
Worsening the situation, Wenzler also told us that the criminals accessed the systems through an exploit.
“This breach did not happen by the more popular social-engineering style attacks such as a phishing email compromising an employee's system or a malicious insider leaking the data, but rather, this was due to an application vulnerability in one of their websites,” he explained. “This is something we in the security community continue to see rising, as organizations are getting better and better at defending servers, workstations and laptops, the cyber-criminals simply move on to the next easiest target, which is most commonly the organization's web applications.”
It’s likely that Equifax will face some big questions. “The breach is also reported to be due to a website vulnerability,” White said. “Consumers have the right to know whether this is a vulnerability that could have been reasonably prevented.” It is unknown at this point whether the vulnerability was a zero-day or had already been patched.
Also, given that the data breach is reported to have been discovered on July 29th, White said that consumers should ask why has it taken six weeks to announce the breach, further putting data at risk. The optics aren’t good for the company on this front, given that three senior Equifax executives (the CFO, president of US information solutions and president of workforce solutions), reportedly sold shares worth almost $1.8 million in the days after the breach was discovered.
And, given the sensitivity of the information that Equifax is supposed to safeguard for consumers, what protections and encryption strategies were in place for data protection?
“No longer can organizations believe they won’t be next, and must take immediate steps to implement integrated solutions that address all of the attacks above and more; to effectively protect their websites, backend databases, and OUR DATA against today’s hackers,” Alp Hug, founder and COO of Zenedge, said via email. “Although nobody likes more government regulations, it appears there is no other solution, other than to hold these organizations 100% responsible.
He added, “The damage in the Equifax storm will go down in history as an extremely expensive event for Equifax and the financial industry.”
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/