Already being coined as one of the worst data breaches of its kind, Equifax announced on Thursday, September 7, that approximately 143 million people in the U.S.—nearly half of the country’s population— along with an unspecified number of people in Canada and the U.K., could be affected by a cybersecurity incident that occurred between mid-May and July 29. As an international credit reporting agency based in Atlanta, Equifax harbors the sensitive data of nearly 820 million people and over 91 million businesses around the globe.
When data breaches occur—especially ones with a critical impact and a large number of affected consumers such as the recent Equifax incident—the public rightly deserves to know the facts related to the situation. A global, well-funded organization such as Equifax should certainly have the internal resources and expertise to design and implement a comprehensive cybersecurity program, so, a logical question one might ask is, “Why was a vulnerable Internet-facing system left unpatched for so long?”
Given the size of the company and the nature of its business (Equifax collects and provides personal information on many consumers as a part of credit checks and other inquiries) it would seem fair to assume that Equifax’s internal cybersecurity and IT experts understand and are accountable to proper cybersecurity measures, and that the company’s cybersecurity program is adequately funded and staffed. From the details made available regarding the breach, Equifax claims that the breach occurred from an unpatched vulnerability in a commonly used web application server operating system (Apache), and that the specific vulnerability was discovered, reported, and a patch issued for Apache in March of this year, but Equifax neglected to apply the patch to the system that would later be compromised.
Three Key Things to Consider When Examining Root Cause of a Data Breach
As Equifax apparently has a vulnerability management process that involves regularly scanning and patching its systems, many are questioning how this intrusion came to be, and why the company’s processes failed to identify and apply the patch. In examining the root cause of this data breach, here are three key things to consider:
1. Accidents Happen
Even for companies that have mature cybersecurity processes in place, sometimes missteps or control failures can occur. In the case of the Equifax data breach, it’s very likely that the company had a robust security program in place, however, the Apache Struts vulnerability was apparently suppressed in the company’s vulnerability reporting system, which caused it to not appear in the system’s report activity. Had the issue shown up on the report properly, the company’s threat and vulnerability experts could have notified the responsible areas, as well as followed up to ensure that proper patches were installed. A second, independent vulnerability validation process (see item 3 below) could have helped in this case. Note that vulnerability suppression is not an excuse for this breach, but rather, it is an example of how control processes are not infallible.
2. Cyber Attacks are Inevitable
Companies with large troves of sensitive data in their systems, and especially ones in the sensitive data business, should expect to be targets for attackers in search of data that can be used for identity theft, credit card fraud, or insurance fraud. Equifax was, no doubt, aware of such threats, however, a proactive approach to cybersecurity can be the best strategy for safeguarding against these inevitable attackers.
3. A Layered, Defense-In-Depth Strategy Can Help
A layered, defense-in-depth strategy, such as the one we espouse at LBMC Information Security, includes multiple, layered security controls so that there is rarely a reliance on a single control to provide sole and complete protection, as well as periodic inspections of a company’s security posture to validate that controls are functioning as intended. In the case of this Equifax breach, it didn’t originate from a failure to implement an information security program, but rather a failure in at least one control process within the program. When it comes to vulnerability management, high-risk organizations would be well-served to have a second vulnerability scanning process to serve as a “double check” of the company’s externally accessible systems to ensure that all security vulnerabilities are identified, categorized, inventoried, and remediated in a timely manner. Ideally, this second scanning process should be conducted using a separate vulnerability scanning engine, as well as by a department or entity independent from the internal function that conducts the primary vulnerability scanning processes. Had Equifax implemented a secondary vulnerability scanning process, it is likely that the Struts vulnerability would have been detected and could have been added to the company’s vulnerability management efforts, and the breakdown in the primary vulnerability scanning process would have also been detected and could have been addressed.
What to Know About the Equifax Data Breach
Cybercriminals exploited an unpatched vulnerability in a commonly used web server platform that allowed them to gain access to certain files and information in Equifax’s dispute resolution software application, including names, social security numbers, birth dates, addresses, and driver’s license numbers. Equifax also affirmed that credit card numbers for nearly 209,000 U.S. customers were exposed, as was "personal identifying information" on approximately 182,000 U.S. customers involved in credit report disputes.
In a video on its site, Equifax Chairman and CEO Richard F. Smith says, "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes." In an interesting development, also announced on September 7, three Equifax senior executives were reported to have sold stock worth almost $1.8 billion just days after the company became aware of the data breach. Equifax has indicated that these executives had not been informed of the cybersecurity incident at the time the shares were sold. Not surprisingly given the scope of the breach, the latest stock market reports show that Equifax stock prices have seen a 13 percent drop since the breach announcement was made.
In the breach announcement, the company indicates that it took immediate action to stop the intrusion once it was discovered and that it has found zero evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases. Equifax also indicates that it promptly engaged a leading, independent cybersecurity firm that has been performing a comprehensive forensic review of the intrusion’s scope, which includes the specific data impacted. In his statement, Chairman and CEO Smith added, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
In addition, Equifax officials have reported the criminal activity to law enforcement and are working with authorities in on ongoing basis. Even though Equifax’s investigation of the data breach is substantially complete (which may help to explain the long period of time between the company’s discovery of the breach and the public announcement), further analysis will no doubt continue into the coming weeks.
Are You at Risk?
Equifax has created a special website to help consumers determine if their information has been impacted. Along with the website, Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents were impacted.
Interestingly, Equifax has taken the admirable step of offering credit file monitoring and identity theft protection for ANY US consumer, regardless of whether or not the consumer’s data was affected by the breach. Consumers wishing to take advantage of the credit monitoring service may sign up on their site for credit file monitoring and identity theft protection.
The bottom line
Organizations will never reach the finish line in cybersecurity because even as companies get better at deploying defenses, new flaws and new attacks will continue to be identified and launched, which will require organizations to continually adapt their programs and defenses accordingly. Entities committed to proper cybersecurity and data protection must acknowledge that fact and decide to either run the race, or stop committing resources to cybersecurity and face the risks and resulting consequences. For those organizations that are committed to properly and effectively managing cybersecurity risks, cybersecurity professionals such as the ones at LBMC Information Security continue to find ways to safeguard against the newest threats and attacks, and our mission is to work with organizations to elevate their security objectives into effective, risk-managing cybersecurity programs.
For companies and business leaders who want to make sure your data is secure and safe from cybercriminals, LBMC Information Security exists to help organizations armor up with a wide range of network defense services from the national leaders in IT security—including ongoing risk assessments, security monitoring, incident response tabletop exercises, and more. LBMC Information Security brings an experience level that is both deep and broad in the areas of compliance and audit needs, managed security services, and security consulting. More information and contact details can be found at the company’s website.