As you probably know the Equifax (one of the three big credit bureaus in North America and UK) announced it was breached (discovered unauthorized access) on the 29th of July. So far, the predictions are that this leak of sensitive personal data impacts over 143 Million American, Canadian and British citizens.
What is a credit bureau? – an organization that makes money by gathering and compiling huge amount of data (personal and financial) about customers and selling it to 3rd party marketers with the purpose of being able to provide a credit score for a certain individual to prove that customers’ financial capability when obtaining credit.
Obviously, these incredibly detailed dossiers contain tons of sensitive information that could be used to impersonate a person for either financial gain or to cause harm.
Historically speaking, all credit bureaus have encountered problems keeping their sensitive information secure, Experian for example had a breach in 2015 which exposed data for over 15 Million people.
Analysis of the breach:
As investigation is on the way (after the detection of the breach in July, Equifax has hired a security company to investigate all details of the breach and the depth of the data leakage and to do proper forensics), there are few released details on what really happened. But what is known so far is very troubling and does not look good for Equifax cyber-security posture. The official statement from Equifax is that the attackers broke into the company’s systems by exploiting an application vulnerability and then gained access to certain files. No mention of the exact vulnerability used which facilitated the breach. The fact that there is no mention of zero-day vulnerability (unknown flow), which could in fact make Equifax less culpable and makes sense for them to highlight, means that the vulnerability was known, meaning that Equifax were not patching on time their internet accessible public services nor had properly configured advanced IPS or security control in place, both are a must when you operate with such highly sensitive data. Other security best practices were obviously not followed by allowing the attackers to get real data after breaching an internet edge service.
- A long delay in announcing the breach. This could be explained with the ongoing internal investigation but still the delay could have been used by hackers to their advantage to harm Equifax customers.
- Equifax reaction after the announcement
Equifax came up with a plan to offer some kind of post factum sense of security to its customers and announced a new portal (www.equifaxsecurity2017.com) where its customers might be able to check if their personal and financial information was amongst the ones that were stolen. However, this portal did not give any such information but usually it was either not working (gave System Unavailable message probably due to high load) or was experiencing certificate issues and hence has been blocked by many web security solutions (such as Cisco OpenDNS) or when they finally got it to work – was giving unclear information, a possible scheduled date for enrolling to another service (credit protection) called TrustedID. On top of that some security researchers have noticed that this output is being presented whether the customer presents real data (the portal asks for Last name and last 6 digits of social security number) or fake made up one. Seems this portal is nothing but an attention diversion from the real problem.
- Equifax had problems with the company security vision/leadership
Equifax until recently was looking to hire a vice president of security (they see that position to fulfil the role of a CISO). This position is vital for a company which possess such sensitive information and should not be left vacant. Cyber-security is a mindset and it takes time and persistence to be built. It should always come from the top positions in a large company and have the backing of top managers.
Lessons to learn:
Some simple cyber-security lessons to learn
- Know your assets and their value, this will give you an idea on how much you need to invest in protecting these assets
- Know the risks to your assets and what impact would a damage or leakage have on your company
- Have a strategy/vision that is supported and driven by top management
- Take action to put that strategy in place
- Have a plan in case of a breach, that would help you react and restore your positions, gain back trust from your customers and do proper analysis/forensics of the breach