12 Apr The 2017 Equifax data breach… $500m and climbing

Claimed to be the most expensive cyber security breach recorded to date, some 143 million consumers around the world were affected — most of which were in the U.S., but also Canada, U.K. and Australia — with that figure later rising to 148 million consumers.

How did it happen?

It was the failure to patch a vulnerability in the Apache Struts open source web application framework. Using that vulnerability, attackers found their way into the network and stole data.

The company allowed eight Secure Sockets Layer (SSL/TLS) certificates to expire in November 2016. It took until the night of July 29, 2017, to replace these certificates, including one for an online dispute portal that the attackers used to penetrate the network on May 13, 2017.

For 78 days between March and July of that year, the attackers had access to the Equifax network through this portal.

Once inside the network, the attackers found databases that contained unencrypted usernames and passwords, which gave them further access to customers’ personally identifiable data (PII Data) including birth dates, addresses, as well as driver’s licences and credit card numbers.

When the new SSL/TLS certificates were installed in July 2017, the security team immediately noticed traffic coming from an IP address in China, where the company did not have a business presence.

Why did it happen?

According to a recent 71-page US Congressional report, the lack of a strong security culture at Equifax – was a key factor contributing to its 2017 data breach that exposed the personal records of millions.

Equifax failed to follow its own cybersecurity policies, including those spelling out how and when to patch critical software vulnerabilities. Company executives did not prioritise security, and many key decisions were left to lower-level IT employees. Equifax lacked a comprehensive IT asset inventory, meaning it lacked a complete understanding of the assets it owned

The US Report concluded Equifax’s response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax’s neglect of cybersecurity.

The Cost?

In cash terms, the 2017 Equifax data breach is reported to have cost the company in excess of $500m, so far. The cost in reputational damage is immeasurable.

Try to understand the frustration, inconvenience and possible lifetime of consequential issues caused to many of those 148 million people who, in good faith put their trust and their private information in the hands of Equifax, only to find that their private details are being sold and exploited on the black market.

Good cyber hygiene is not the responsibility of one person, it’s the responsibility of the whole business. Cyber security awareness has to be an integral part of your business culture today. Your clients expect it from you; you expect it from your service providers. Let’s see some leadership on the matter and avoid the consequential damage being caused by a lack of accountability and culture of avoidance.