Cybersecurity experts discuss the Equifax data breach, how it could have been handled better and what it means for organisations
Credit monitoring firm Equifax has this week admitted a data breach back in July impacted around 143 million US consumers – or half of the population of the USA.
It’s a significant breach, and includes social security numbers, dates of birth and addresses. Some UK and Canadian citizens could also be impacted.
But what does this incident teach businesses, especially with GDPR just around the corner? Cybersecurity experts have had their say
Justin Fier, Director of Cyber Intelligence & Analytics, Darktrace
“Time and time again, we have seen attacks of this scale plague the news. It is clear that companies have a huge visibility problem – they simply cannot see what is happening inside their own networks. New cyber-attacks are increasingly inconspicuous, in Equifax’s case, able to exfiltrate data from the network for almost two months without sounding any alarms.
“With 143 million accounts potentially breached, cyber-criminals are undoubtedly succeeding in undermining consumer confidence in organizations’ ability to keep our information private. Companies need to ask themselves a crucial question: how do you stop the attacker already inside your network, before it escalates into a crisis?
David Emm, principal security researcher at Kaspersky Lab
“This is yet another case of a breach becoming public long after the incident itself occurred, which underlines the need for regulation.
“It’s to be hoped that the GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and, secondly, notify the ICO of breaches in a timely manner,” he added. “The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before it becomes a target.”
Consumers have no control over the security of their online providers, but they can mitigate the risk of a security breach of an online provider’s systems. We would recommend that everyone uses unique, complex passwords for all their online accounts, and we would also urge people to take advantage of two-factor or two-step authentication where a provider offers this.
Etienne Greeff, SecureData CTO
“Today’s news on the hack against credit reporting firm Equifax is a textbook example of how not to handle a data breach effectively. Over half the population of America was put at risk, not to mention the vast number of credit cards that were compromised. Yet, despite the severe and far-reaching repercussions of the incident on customers, the reaction from the company has been lacklustre and worrying.
“In response to the breach, Equifax created a website – Equifaxsecurity2017.com – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further.
“What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cybercriminals.
“In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened. With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Chris Morales, head of security analytics at Vectra
“Equifax needs to raise their cybersecurity score. Enterprises have to realise they cannot address cybersecurity by simply spending money on intrusion prevention solutions and instead need to shift investments to detection and response solutions that are being used by today’s advanced attackers.
“The cyber attackers gained a foothold by seemingly exploiting a web application vulnerability. From there, they most likely escalated privileges, abused credentials and admin protocols, moving laterally through the network, which businesses rarely have the necessary tools to detect.”
Nigel Hawthorn, Skyhigh Networks
“No doubt Equifax has been working feverishly behind the scenes since it found the breach in July. All businesses must think about the steps they would take in similar circumstances to investigate a breach, track the data lost and put together a communication plan to customers.
“Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.”
Quiz: Are you a security pro?