The Equifax data breach news which broke last week was a bit of a shocker. About 143 million Americans were affected, which is most of the US adult population, and an unknown number of Canadians and Britons. The leaked data included some highly sensitive information including social security numbers, home addresses and credit card numbers. The cyber-attack on Equifax occurred between mid-May and July, and the incident is still under investigation. The story is so significant that my friends from outside of the cybersecurity industry heard about it in the mainstream news.
Data breaches are dangerous. Very often cyber attackers will sell the databases of sensitive information they acquire on the Dark Web, where other attackers can use the information to conduct identity fraud, financial fraud, or perform more targeted attacks in general. When a data breach happens to an organization, they open themselves up to litigation and reputational damage.
What happened to Equifax?
“For far too long, businesses have under-invested in software integrity, relying on network-based defenses that are incapable of protecting many exploit vectors, including those associated with open source security defects. The Equifax breach and loss of 143 million records (including mine) serves as a painful reminder of why every link in the software supply chain must be automatically and continuously managed. To do otherwise is simply negligent,” said Wayne Jackson, CEO of Sonatype.
“As a larger company, Equifax most likely spent a lot of money, time and resources securing their customer data, and yet they still fell victim to a massive attack. Everyone should pause and ask themselves: is my enterprise doing enough? Organizations must evolve their cybersecurity programs at a faster pace, and employing security service providers (where necessary) can be one way of doing so. Security programs must also be continuously tested, so an annual red team assessment with qualified, ethical hackers can be critical in understanding how strong your cybersecurity really is,” said Steve Groom, director of cyberdefense at Proficio.
To make matters even worse, Equifax has probably mismanaged the incident initially a bit from a public relations standpoint as well.
“Equifax adds insult to injury by requiring consumers to waive their rights to a day in court and accept mandatory binding arbitration in order to take advantage of the company’s free year of credit monitoring. Cybersecurity experts estimate that the effects of this breach may be felt by consumers for decades. Consumers who choose to take advantage of Equifax’s credit monitoring in response to this breach should be sure to read the fine print carefully to find out how to opt out of these outrageous arbitration clauses,” John Breyault of National Consumers League said.
Considering how huge data breaches can damage a company's reputation, they should be a lot more careful in how they present themselves to the general public during their incident response. Any perception of trying to waive a consumer's right to sue will have negative consequences.
At least Equifax has responded to public outrage regarding the “you cannot sue us” clause. On September 8th, they posted this message on their website:
So, it appears that you no longer void your right to sue Equifax if you use their dedicated website to check if you're a victim at EquifaxSecurity2017.com. Either way, if you suspect that your sensitive information may have been leaked in the attack on Equifax, I advise you to consult a lawyer before you do anything in regards to the incident.
How does the Equifax attack compare to some other huge data breach incidents?
In October 2013, Brian Krebs broke the news of a data breach which affected at least 38 million Adobe customers. The customers had Adobe ID accounts for using popular applications such as the ones in Adobe's Creative Suite. After weeks of research, it was discovered that credit card information, IDs, passwords, and the source code for Acrobat, Reader, ColdFusion, and Photoshop were leaked.
By August 2015, Adobe agreed to pay $1.1 million USD in legal fees, and by November 2016, they paid about $1 million USD to customers.
As early as December 10th, 2014, American health insurance company Anthem detected questionable database activity. Abnormal query activity occurred until January 27th, 2015. According to an internal memo:
"On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate's logon information. He had not initiated the query and immediately stopped the query and alerted Anthem's Information Security department. It was also discovered the logon information for additional database administrators had been compromised."
By January 29th, Anthem had determined that they were hit by a data breach. Up to 78.8 million curent and former customers were impacted. The leaked data included social security numbers, employment histories, and home addresses.
The attack vector was a phishing email link sent to an Anthem employee. The cost of the breach was eventually estimated to exceed $100 million USD.
In April 2011, Sony's PlayStation Network was hit by a massive data breach. Credit card numbers, customer names, and home addresses were some of the sensitive data that was leaked. The attack affected customers around the world, and Sony had to temporarily shut down their PlayStation Network between April 17th and 19th while investigating the problem and fixing their security. About 77 million PlayStation Network accounts were impacted.
About 2.2 million credit card numbers were leaked, and that may have led to credit card fraud incidents, such as $1,500 spent in a German grocery store, and purchases in Japanese shops, and of German airline tickets.
In 2014, Sony paid $15 million USD to settle a class action lawsuit.
For what it's worth, I'm a PlayStation Network customer, and I buy games in the PlayStation Store and renew my PlayStation Plus membership with gift cards. Gift cards cannot be traced to my sensitive financial data.
JP Morgan Chase
During July 2014, JP Morgan Chase was subject to a data breach which 76 million individuals, and 7 million small businesses. The leaked data included names, phone numbers, email addresses, and home addresses.
According to Bloomberg:
“The attack on the lender, which is being probed by the Federal Bureau of Investigation and other agencies, started in June at the digital equivalent of the company’s front door, exploiting an overlooked flaw in one of its websites, two people familiar with the bank’s investigation have said.
The hackers unleashed malicious programs designed to penetrate the corporate network, the people said. With sophisticated tools, the intruders reached deep into the bank’s infrastructure, siphoning gigabytes of information, until mid-August.”
The attackers acquired root privileges on more than 90 servers.
By November 2015, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein faced criminal charges for the attack. Some of their many charges were for wire fraud and money laundering that netted them an estimated $100 million USD.
Like the other data breach incidents I mentioned, the attack on Equifax affected many millions of people, exposing sensitive data like social security numbers, credit card numbers, and customer contact information. In my opinion, Adobe, Anthem, Sony, and JP Morgan Chase all handled the public relations aspect of their incident response better than Equifax has. If you don't want to be sued for a data breach, secure your data well! If a breach still happens, apologize and offer to compensate victims rather than make it appear like you're trying to waive their right to litigate. Litigation will probably happen, and it's better to offer a carrot to your customers than a stick. Reputation damage isn't a metric that can easily be measured by accountants, but it's a matter I don't think is prioritized enough by companies which are subject to data breaches. $30 million spent on compensating customers is cheaper than $300 million in lost future business.
As far as preventing breaches following are some basic tips:
- Limit access to sensitive data storage to as few employees as possible, both physically and by granting only limited permissions on user accounts. The few who do have access should be background checked and carefully monitored.
- Destroy any digital or physical data mediums that you're getting rid of. Hard drives, optical discs, and flash media should be physically destroyed. Paper records should be shredded into tiny pieces.
- All sensitive digital data, both in storage and in transit, should be heavily encrypted at all times. Also be careful about how you store and manage keys.
- Keep only data that you need. The less data you have to protect, and the better organized it is, the easier it is to safeguard.
- Train your employees and contractors to be cybersecurity aware, and knowledgeable of corporate information security policy. Educate them on a regular basis.