The pain has only just begun for Equifax. Last Thursday, the giant credit bureau disclosed that hackers stole personal information for 143 million of its customers, presumably mostly Americans, but also Canadians and Europeans.
In less than 24 hours, two Oregonians, Mary McHill and Brook Reinhard, filed a federal class-action lawsuit accusing the Georgia-based company of failing to maintain adequate electronic security safeguards as part of a corporate effort to save money.
Then on Friday, Consumer Watchdog called on California state Attorney General Xavier Becerra to investigate. The advocacy group believes Equifax may have violated California’s benchmark data loss disclosure law, which requires timely notification of the victims in these types of breach cases.
Related podcast: How network analytics can stop intruders before they get too far
John M. Simpson, Consumer Watchdog Privacy Project director, minced no words in lambasting the company for allowing senior executives to dump stock before publicly announcing the breach.
“It’s unconscionable that three top executives sold Equifax stock after the breach was discovered, but before the news was made public,” Simpson says. “The executives who sold their stock based on insider information should forfeit any profits and go to jail.”
Consumer Watchdog is asking AG Becerra to block Equifax’s attempt to push its victims into arbitration and investigate why public notification of the breach was delayed so long.
In this backdrop, ThirdCertainty convened a roundtable of cybersecurity experts to discuss the wider ramifications of Equifax’s disclosures. Here are their comments, edited for clarity and length.
Kenneth Geers, senior research scientist, Comodo
“The sheer size of this breach, which spans at least the United States, Canada and Great Britain, may have frightened some Equifax officials into selling a portion of their company shares.
On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action. Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”
Venky Ganesan, managing director, Menlo Ventures
“This isn’t just a few pieces of personal information that were hacked. A credit bureau has all of a consumer’s important information. It knows all the places people have lived, all the credit cards they have, the size of their mortgage, all their liabilities and all the payments they have missed. This is the equivalent to penetrating the Federal Reserve, not merely robbing an individual bank.
Equifax completely botched its response to the breach. They did not notify people promptly and have not told the public the full extent of the breach. Their response website is also a joke. The response may actually be worse than the breach.”
Pravin Kothari, chief executive officer, CipherCloud
“The Equifax breach not only affects nearly half of the U.S. population, it also includes personal data of residents in the UK. If this breach had occurred after May 2018 when the EU’s new General Data Protection Regulation (GDPR) goes into effect, Equifax could have had to pay penalties of up to $120 million (4 percent of global revenues.)
The EU adopted GDPR in April 2016 and gave organizations a two-year period to prepare, however, many companies have yet to begin their compliance efforts. We expect GDPR to serve as a model for similar regulations in the U.S. and around the world, helping to protect individual privacy and thus minimize the economic threat from future data breaches.”
Derek Manky, global security strategist, Fortinet
“Security breaches are a reality every organization faces, whether targeted or not. An important strategy to consider in addition to proactive lines of defense, strong cyber hygiene, and actionable threat intelligence is using segmentation to reduce critical impact of a threat. Once a threat gains entry, it can spread and eventually extract the valuable assets it was sent to retrieve. Or worse, it can encrypt and hold for a high-value ransom. Segmentation is extremely valuable to limit spread and reduce impact.”
Anthony Di Bello, senior product director, Guidance Software
“Equifax’s breach is yet another data point, albeit a massive one, in the new reality of organizations being continuously compromised. We’ve done research that shows one in four businesses suffered direct financial losses due to a cyber attack in the past year, and the number of organizations reporting significant financial losses tripled.
We’re in a new reality where it’s not just ‘will my company get breached?’ but a question of when. Fighting back requires a well-planned endpoint detection and response strategy that can mitigate the otherwise crippling repercussions businesses are increasingly seeing from these cyber attacks.”
Bob Ackerman, managing director, Allegis Capital
“The direct and indirect costs of this breach, including the class-action lawsuit, could easily surpass $500 million. It is almost inevitable for a large aggregator of highly sensitive data to be breached at some point. It is a big, juicy target. There is a strong argument for decentralization of data collections. No single failure should result in a catastrophic loss.
The data should have been encrypted. No excuses—period. This is an example of the type of dataset that will benefit from homomorphic encryption (encryption for data in use) as it becomes available.”
Matthew Gardiner, senior product marketing manager, Mimecast
“While the collection and aggregation of consumer information to feed the generation of credit scores is tremendously important to the consumer credit market, the downside of the mass centralization of this sensitive data is risk of loss on a mass scale. This is an example of how a single breach can lead to the release of data on nearly half the U.S. population.
This data in the hands of malicious actors can be used in many ways to steal money or data from individuals and businesses and, of course, can be sold on the black market to other specialized cyber criminals. It is important that consumers and businesses take this breach seriously and double down on their security controls.”
Josh Mayfield, platform specialist, FireMon
“Seeing what happened to Equifax should awaken us to the realization that we must do something different. These things happen because we continue to follow an outdated playbook with directives that haven’t evolved to address the changes in the world.
Threat hunting is a discipline that uncovers the changing Tactics, Techniques and Procedures (TTPs) of sophisticated adversaries. We should demystify the notion that threat hunting is the preserve of super-elite organizations or individuals. Threat hunting involves open-ended, recursive, combinatorial search across all datasets to reveal what is currently hidden. Anyone can hunt, it only requires following the methods and principles for threat hunting.”
John Gunn, chief marketing officer, VASCO Data Security
“The magnitude of this breach is unprecedented, and, unlike a breach that involves credit card data, these millions of victims will be at increased risk of fraud for the rest of their lives. You cannot get a replacement Social Security number because your service provider had inadequate security measures.”
Andrew Avanessian, Chief Operations Officer, Avecto
“Basic security hygiene could have been enough to prevent a breach of this scale from happening. Security is never a one-time investment, it is a journey not a destination — and it requires constant thought, attention and action.
It’s crucial that those affected stay vigilant as the details exposed in this incident are enough for a hacker to commit fraudulent acts and even steal personal identities. I’d recommend watching out for emails asking to confirm personal details, or requesting username and password information. If you’re ever unsure, it’s always best to contact a company directly by phone, to check it’s an authentic communication.”
September 12, 2017