comforte Lounge Blog

comforte and NonStop News

  • Blog Article

    Our take on the Equifax data breach – 1 month later

    Seems like just when the news couldn’t get any worse for Equifax, it does. Initially, when the data breach was reported, the company stated that at least 143 million people were affected.  Now it has been found that an additional 2.5 million people were affected by the data breach. 

    Seems like just when the news couldn’t get any worse for Equifax, it does. 


    Initially, when the data breach was reported, the company stated that at least 143 million people were affected.  Now it has been found that an additional 2.5 million people were affected by the data breach.


    “I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” Equifax interim CEO Paulino do Rego Barros, Jr. said in a statement.


    Here is what happened in a nutshell: Bad actors (hackers per se) accessed files containing sensitive, personal data of consumers between mid-March and July 2017, through a newly discovered Apache Struts vulnerability.  Equifax discovered the hack on July 29 and then reported it publically on Sept 7. 


    As with all companies who experience a data breach, an Incident Response Team was assembled, and part of their responsibility was to determine how the hack was possible, and to tally up the damage.  The 145.5 million consumers are not just all from America – consumers in Canada, the UK, and other countries around the world are also part of this number.  Stolen data records included full names, Social Security numbers, dates of birth, addresses, and other personal information, and even hundreds of thousands of credit card numbers – this was a pretty significant security failure!


    Since the data breach was announced, fallout at Equifax has been significant:


    • Sept – Equifax (NYSE:EFX) stock fell 25.6% last month
    • Sept 15 – its then-current CIO David Webb and CSO Susan Maudlin announced retirement
    • Sept 26 – the CEO and chairman of the board Richard Smith has “retired,” effective immediately but will serve as an unpaid adviser to Equifax to assist in the transition as it seeks a new CEO
    • Oct 3 – the Ex-CEO began facing 3 US Congressional Hearings at Capital Hill testifying about the data breach


    The company is now being hit with a bunch of lawsuits, and faces legal action from credit unions, customers, and shareholders.


    If there is any consolation, Equifax claims to have identified the cause of the problem.  Even though the company has spent $250M in cybersecurity over the last 3 years and has a 225 person security team, one person didn’t do their job.  “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not," explains ex-CEO Smith. 


    According to his written testimony, Equifax sent out an internal email on March 9th to deploy the original Apache Struts update within 48 hours. After it was installed, a few days later, the IT department ran scans but did not recognize vulnerabilities. It was apparently all up to one person to communicate that there was a patch available for a newly discovered vulnerability. Unfortunately that person did not relay this critical information.


    Hackers, who quickly recognized the vulnerability, started to access the sensitive information on March 13th and continued to do so over a period of months before finally being detected.


    It begs the question, all of that sensitive data at risk and exposed due to patch maintenance?  What happens when the next vulnerability is found?  How many systems do they have that need to be patched at any given time?  Even if Equifax now instituted better security IT policies regarding patch maintenance, does this still minimize the risk associated with a potential data breach?


    At comForte, we believe there is a better way to address cybersecurity risk, especially when compared to patch maintenance among other methods.  We recommend taking an approach which focuses on protecting the data itself – by means of tokenization or encryption.  When the sensitive data is about to be written in real-time to files or to databases, a step is performed to de-identify the data.  With tokenization, the sensitive data is replaced with a token value and then written to the file or database.  With encryption, the data is encoded and locked with an encryption key.  In both cases, if the tokenized or encrypted data is stolen, it has no exploitable value to a criminal.  Both security methods have been in use for years and when implemented properly, have negligible impact on transaction performance while providing solid protection of the data itself.


    As a result, it would not have mattered if the patch was applied or not, or whether the firewalls were effective to keep hackers out. Organizations need to focus on protecting the data itself to render it unusable to criminal activity.  This data breach could have been prevented with the right approach!



    Want to make sure that you are doing everything to protect the data from your customers? Schedule a Security Health Check.