In the afternoon of September 7th, Equifax issued a press release which said that about 143 million U.S. customers of the credit reporting firm could have been impacted by a cyber attack on the company. The company said the unauthorized access actually occurred “from mid-May through July 2017.”
“This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Richard Smith, chairman and chief executive officer of the Equifax.
(In this episode of the Vitamin C podcast, David Masson, country manager of Darktrace for its Canadian operations, explains how artificial intelligence and machine learning can be employed to enhance a business’s cybersecurity posture.)
The company maintains that it has found not found evidence indicating unauthorized activity on Equifax’s core consumer or commercial credit reporting databases, however, the breach exposed quite a bit of data.
“The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” according to the Equifax press release. “In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were accessed.”
Equifax also found evidence of unauthorized access to limited personal information for U.K. and Canadian residents. The company said it will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Were customer information encrypted?
Equifax evidently dropped the ball on this one, according to Elliot Lewis, vice-president of security, risk, and compliance with analyst firm Info-Tech Research Group.
“Equifax is supposed to be the pinnacle of privacy best practice. The stake their brand on the idea that they can protect your credit information,” he said. “For a company handling this type and amount of information, they have should have had better security.”
For instance, Lewis said, it appears that that customers’ personal identifiable information (PII) was not properly encrypted.
The analyst said that typically, companies that have customer PII encrypted are quick to convey the fact in their public announcements of a data breach. Having customer data encrypted ensures that hackers who manage to steal the information cannot use anyway if they do not have the encryption keys.
Kevin Lonergan, a senior analyst for infrastructure solutions at analyst firm IDC Canada, also wonders what sort of backend protection Equifax was employing that cybercriminals were able to get to the data through a Web application.
Equifax reported that a Web site application vulnerability allowed hackers to gain access to the company’s files.
As part of a routine security practice, “that Web app should not have had that much access to that type of data at all,” said Lonergan.
Why did it take 40 days for Equifax to report the breach?
There has been a lot of question around why it took Equifax several weeks to publicly announce the breach.
The breach was reported to the public September 7, but the domain used by Equifax to hold the special breach information Web site, equifaxsecurity2017.com, was registered in August. Site content was not uploaded until a week into September.
Lewis said Equifax’s “response time was pretty good” considering that the company’s security team first had to determine if there was indeed a breach, identify the systems affected, and evaluate the impact and extent of the breach before reporting it.
But even given that, Equifax could have done better he said.
“That response time was pretty good for most businesses,” said Lewis. “But companies the likes of Microsoft, IBM and other they have protocols in place that holds them to just five to up to a couple of weeks to examine and incident and disclose a breach…for the type of business they are in and the information they handle, Equifax should have been up there with these companies.”
In fact businesses generally, take a long time before reporting data breaches. Remember that Yahoo breach that affected 500 million accounts? It took years before the company publicly disclosed the intrusion – although it is still not very clear when Yahoo discovered the breaches.
“Recent IDC Canada data shows that 83 per cent of Canadian security professionals reported that their organizations suffered a minor breach and 49 per cent of respondents reported a major breach,” said Lonergan. “As many as 61 per cent of Canadian companies take months if not years to learn if they have been breached.”
How can consumers protect themselves?
“Although smaller than some of the breaches we’ve seen over the last few years, a breach at an organization such as Equifax, is considerably worse since they collect a significant amount of personally identifiable information,” said Lonergan. “This is exactly the type of data hackers and criminal organizations look for because it makes identity theft easy. There’s enough data there that it could be used to verify you’re your identity for other online accounts.”
The IDC analyst recommended following these cybersecurity best practices:
- Use HHTPs anytime you provide personal information online make sure the page is secured via HTTPS. If possible don’t let 3rd parties save your credit information. It may be a little less convenient entering in your information each time, but less of your information will be at risk if the organization experiences a breach.
- Be wary of emails asking for, or to update personal information. Phishing schemes are a common way for attackers to gain your information by disguising malicious emails as those from a legitimate organization. Always check the email address of the sender to ensure it matches with the email. When in doubt call in.
Why did Equifax execs sell their stocks after the breach?
One of the more controversial questions arising from the incident is a report that three executives of the company sold off their Equifax stocks before news of the breach was released.
Business news site Bloomberg.com reported that Security and Exchange Commission filings indicated that on August 1st, Equifax chief financial officer John Gamble sold Equifax shares worth US$946,374. Joseph Loughran, president of U.S. information solutions, sold $584,099 worth of stocks, and on August 2nd, Rodolfo Ploder, president of workforce solutions, sold $250,458 worth of stocks.
In an email to the publication, Ines Gutzmer, a spokesperson for Equifax, said the three executives “had no knowledge that an intrusion had occurred at the time.”
Why is Equifax only offering a year of protection for customers whose data was stolen?
Equifax is offering affected customers a service called TrustedID Premier. It includes 3-Bureau credit monitoring of Equifax, Experian, and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers.
All of this is complimentary to U.S. consumers for one year. Shouldn’t Equifax be offering this protection for far longer?
The perpetrators of the breach are not necessarily the same people who would be using the stolen data. The stolen data is typically sold in blocks to other cyber criminals who would use the information for identity theft, said Lewis. “This could be done months if not years well after the breach has occurred,” according to the Info-Tech analyst.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…