The Equifax Breach: A debrief

As more and more details emerge in the wake of the Equifax breach, this should provide a perfect period of reflection for many companies, including those in the financial services sector - who still have a lot to learn about the handling of a major breach. With over 145 million Americans affected and reports of execs selling off stock before announcing the breach to the public, it demonstrates the reputational damage a firm can experience in the wake of a cyber-attack.  

After a major breach, there is often a period where companies will take a step back and revaluate their current security posture to ensure they don’t fall victim in the future. However, there is still so much we still don’t know in relation to Equifax. The news is likely to get much worse, as it so regularly does in these sorts of situations.  There will most certainly be significant legal action taken as more and more people learn their identities were stolen.

Companies, regardless of sector should use Equifax as a springboard in which to access their breach mitigation protocols and their cybersecurity posture. It is likely that any organisation could experience a failure like this, and failure must be used as a step towards improving and ultimately, succeeding. And when we consider the value of the data that financial services process daily, they are sure to be next in the cybercriminal’s crosshairs.

Here’s what we know so far…

Before we start looking at remediation techniques in the wake of a breach, it’s important to gather as much information about what has happened, what’s been compromised, who’s been affected etc.  In Equifax’s case, this is what we know:

• Equifax learned of unauthorised access to its systems on 29th July of this year.
• They then hired a forensics firm to investigate the access, this is still ongoing.
• As we currently stand, around 145 million Americans and nearly 700,000 UK residents have been affected
• Of this, around 209,000 US consumer’s credit cards numbers have been put at risk
• Equifax claims that hackers gained entry through an application vulnerability
• An employee in Argentina had used ‘admin/admin’ as their ‘username /password’ for a tool

The information stolen has a very real monetary value on the dark web – social security numbers, birth dates, address histories and legal names can be commit identity theft, whilst consumer credit card numbers in the hands of criminals have their obvious repercussions. Needless to say, those responsible for this breach have inherited a wealth of damaging data in order to commit crime. 

What can we learn from Equifax?

One of the most important aspects to determine the strength of an organisation’s security posture and team is their ability to detect an attack. Based on what we’re seeing early on in the Equifax investigation, it’s clear they didn’t have the appropriate processes in place to catch the attackers. What often happens when it comes to incident response is that companies have numerous tools or systems in place to prevent and detect attacks independently, but there are still gaps between the systems that prevent the security system from acting in a fully joined up way.  There are a number of reasons which can cause this, but most often it is due to a lack of staff resource or training, inadequate security budgets and or tools which haven’t been configured correctly. More often than not, this is as a result of poor executive leadership and a lack of understanding regarding the requirements of cyber risk management.

Security teams are often tasked with looking at and comprehending large masses of information. An organisation’s system will typically generate a huge amount of information that it can use to protect their networks and valuable data, but only if their tools are configured correctly. Following this, the security team will be required to correlate security alerts with human activity.  For example, what do these alerts really mean? If an organisation is unable to complete these tasks at the speed and scale required in today’s modern world, any defence against an attacker will be useless.

A converged approach

As will be the case for Equifax, any large-scale data breach which has a lasting impact on society, the news cycle and many, complex moving parts will likely end up in the courtroom. Arguments surround who is responsible for keeping an organisations’ data safe, and the degree of negligence involved are all likely to lead to litigation proceedings. The loss of entire identities will only add fuel to the mix and increase the chances of long and painful battles in the courts. This raises some interesting points and questions that companies will now be expected to have answers for in a court of law – for example, were the steps they took to protect the data they were responsible for enough, considering the steps have resulted in failure. How can an efficient investigation or incident response plan be carried out if there is an insufficient understanding of the kind of information housed by an organisation or even where that information is located? Finally, on a reputational level, how can an organisation control the conversation in the wake of a breach, when it emerges the issue was known about prior to disclosure and new revelations continue to trickle out to the press. 

This is why many companies are moving towards a more converged approach, and the Equifax example demonstrates how many professional disciplines have converged in a way that means it is difficult to determine where one begins and one ends. Areas of specialisation such as eDiscovery, digital forensic investigation and information governance are now closely associated with the concept of cybersecurity that it is now harder distinguish between the disciplines anymore.

Looking forward

There is still a long way to go when encouraging organisations to adopt this blended, converged approach when it comes to information governance and cybersecurity. Whilst the prospect of steep fines or legislative repercussions from the upcoming EU GDPR is slowly turning the waters, there is still an opportunity for firms across every industry to try to form a competitive edge as the firm that is secure and knows where all its data is.

By taking a step back and becoming a ‘good shepherd’ of their data, organisations can rest assured they know where their data is located, and then perfect their processes towards protecting it effectively. This enable organisations to better protect themselves as they are able to distinguish between high and low priority data, and put the appropriate protective measures in place. Not only this, but information governance also has positive implications towards post-breach litigation. If a breach does in fact lead to a battle in the courts, being able to demonstrate you were aware of the stolen data, where it was located and the measures in place to protect it, will reflect well on your organisation. In a perfect world, information governance and know where your highest priority data is located will enable security teams to make smarter security decisions and being better prepared for strict regulations such as GDPR.

However, we’re not living in a perfect world, there is still a long way to go before organisations wake up to the importance of information governance. Until then, breaches will continue to result in significant costs and reputational damage, large scale investigations, litigation and in the extreme cases, criminal action.