The Equifax breach isn’t the largest data breach, but it is one of the most troubling because of its massive scope, the nature of the information stolen, and the absolutely awful way in which it has been handled.

While Hurricane Irma dominated the national news late last week, a man-made disaster unfolded in the background as credit reporting giant Equifax disclosed that hackers had breached its website and accessed the personal identifying information (PII) of 143 million Americans, including Social Security Numbers, dates of birth, address and employment information and, in some cases, credit card numbers. In terms of the number of people impacted, the Equifax breach is not the largest in history; that dubious distinction is held by Yahoo. However, it may end up being the most destructive due to the particularly sensitive nature of the compromised information and the fact that it impacted about half the U.S. population. Once minor children and other people who do not have credit histories are excluded, the picture becomes even bleaker. The Equifax breach may have compromised the PII of anyone living in the U.S. who has ever had a credit card, a car loan, a mortgage, a lease, or anything else that involves a FICO score.

Meanwhile, a group of hackers who claim to be behind the Equifax breach have demanded a Bitcoin ransom of approximately $2.6 million in exchange for not publicizing the data.

How has Equifax responded to all of this? By doing … well, pretty much everything a company shouldn’t do after a data breach, especially one of this magnitude.

Equifax Breach Response: A Case Study in What Not to Do

As bad as this hack was, Equifax’s response to it has been even worse. Their actions have been so galling that members of Congress are demanding hearings to investigate the breach and Equifax’s poor handling of it. Here are some of the highlights:

• Equifax first discovered the breach on July 29, after the hackers had been in their system for about a month.
• In the days following the discovery, three senior Equifax executives sold approximately $1.8 million in shares. The company claims that said executives were not aware of the breach.
• The victims had to wait until early September to find out about it. Not only did Equifax wait several weeks to disclose the breach, but they also made their announcement while the nation was transfixed by Hurricane Irma, which was barreling towards Florida and prompting one of the largest mass evacuations in history.
• The website that Equifax set up for victims to determine if they were part of the breach was so poorly constructed – complete with gaping security holes – that many visitors thought it was a phishing attempt.
• This same website appears to double as a marketing vehicle for Equifax’s own credit monitoring service. The company is offering a free year’s subscription to the victims, which begs an obvious question: If Equifax itself couldn’t keep victims’ data secure, why in the world would they trust the company’s “credit monitoring” service?
• Rather than taking responsibility for the hack, Equifax is seeking to pass the buck, blaming a vulnerability in open-source server framework Apache Struts, even though there is currently no evidence that Struts was the source of the breach.

How bad do things have to get before we take cyber security seriously?

Another reason why the Equifax hack is so much worse than the hacks at Target, Yahoo, Verizon, Anthem, and other private-sector companies is that while consumers can choose to stop patronizing those other companies, they have no choice but to have their data handed over to Equifax. There is currently no way for consumers to “opt out” of having their personal and credit data aggregated by Equifax and its competitors, Experian and Trans Union. Even if there were, the modern economy runs on credit; without a FICO score, Americans cannot obtain car, home, or student loans, be approved for rental leases or, in some cases, find a job.

Equifax’s response to this hack has been inexcusable. So is the fact that the breach happened in the first place. If any company needed to practice proactive cyber security rooted in sound governance, risk, and compliance, it was Equifax. Equifax does not collect PII as a consequence of doing business; collecting PII is its business. As the old saying goes, with great power comes great responsibility, and Equifax has failed miserably in its responsibility not only to American consumers but also the entire nation.

The Equifax breach is going to end up affecting all Americans in one way or another. Will this be the breach that finally wakes businesses and individuals up and prompts them to realize that cyber security is now everyone’s responsibility? Let’s hope so, because we absolutely do not want to see a cyber attack that’s even worse than this one.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards. 

[bpscheduler_booking_form]

Baseball may be America’s favorite pastime, but from the Black Sox scandal to Pete Rose to the “Steroid Era,” cheating schemes have long tarnished the game. Sadly, it was only a matter of time before cheating went high-tech. Former St. Louis Cardinals executive Chris Correa has been sentenced to 46 months in prison for violating federal hacking laws after breaching the Houston Astros’ database and stealing proprietary information such as scouting reports and trade negotiation notes. Although the MLB claims that it appears Correa acted alone in the Houston Astros hack, it is launching an internal investigation into the Cardinals organization and may sanction the team.

How and Why the Houston Astros Hack Happened

Most data breaches are not the result of hackers finding “backdoors” into systems; they are due to hackers getting hold of stolen login credentials, obtained either through a phishing scheme or by taking advantage of employee carelessness, such as employees using weak passwords or writing login credentials on sticky notes and leaving them in plain sight. The Houston Astros hack was the fault of simple carelessness on the part of a new employee (identified only as “Victim A” in court documents) whose previous employer was the Cardinals organization.

When Victim A left the Cardinals to take a job with the Astros, he was told to return his work laptop, including its password information, to Correa. Correa got the idea to try to use this same password, and a few variations of it, to see if he could use it to access the Astros’ database, which was nicknamed “Ground Control.” Correa was right; the employee had chosen a nearly identical password for use in his new job, and Correa was able to use it to walk right in the front door of Ground Control.

Eventually, the Astros updated the Ground Control system, thus changing the login credentials, but that was only a bump in the road for Correa. The password still worked for the employee’s email account – and the Astros had emailed new default login information to all employees.

How Could the Astros Have Prevented the Breach?

The Houston Astros hack resulted from poor cyber security practices on very basic levels:

• Weak passwords chosen by the employee and used on multiple systems. No matter how many times people are told to use strong passwords, change them frequently, and not use the same passwords for multiple systems, most people simply don’t take this warning seriously. For this reason, organizations should not allow employees to choose their own passwords. They should be assigned strong passwords for each system, and the system should require that they be changed periodically.
• Not requiring multi-factor authentication to access sensitive data. A user name and strong password may be fine for an email account, but systems that contain sensitive information should require multi-factor authentication for access.
• Sending default login information through email. The Astros should not have sent employees new Ground Control login credentials through email; instead, the login credentials should have been given to employees in hard copy, and the system should have been set up to require that the credentials be changed as soon as the employee logged in for the first time.
• Not monitoring networks for anomalous activity. Correa was lurking around in Ground Control for well over a year before he was discovered, and that only happened because confidential trade information was leaked online. Had the Astros been monitoring their system, they may have noticed user activity that deviated from baseline norms, such as the user logging in from an unusual location.

Correa’s plea deal estimates that the Astros lost $1.7 million to this breach. Regardless of whether the MLB decides to take action against the Cardinals organization, the Astros need to take a hard look at their information security practices – and other organizations should learn from the Astros’ very expensive mistake. Proactive security measures that prevent cyber attacks are always cheaper than reactive cleanup after a breach has occurred.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization.

[bpscheduler_booking_form]