It was recently revealed that that credit monitoring service Equifax was breached, leaking the information of 143 million customer, or about 57% of the US population over the age of 18. The potential acts of poor design, negligent security, rash decision making, terrible customer relations, and maybe even insider trading are astounding. It would be not be prudent to speculate on what we don’t yet know, and we don’t really need to - there is so much to comment on even in the initial reports.
These records are not like other records
We have a tendency to measure damage by the numbers, but when it comes to a data breach, this is a mistake. While 143M records is a massive number, it is still smaller than other mega breaches such as the Yahoo! or Adult Friend Finder breaches. The Equifax breach is however a far more damaging breach due to the PII that was stolen. This breach included credit card numbers but most concerning is the inclusion of social security numbers (SSNs). Obtaining a new credit/debit card is fairly painless, but SSNs are permanent and open the lock box to an individual's identity given how widely used SSNs are when obtaining credit. The heavy reliance on SSNs as a key identifier for an individual represents a critical weakness for consumer privacy.
It’s not the Breach, It’s how you handle it
In a world where data breaches have become far too common, the breach itself is less important to long term brand damage than the response itself. Consumers have shown that they can ultimately be forgiving if they deem that a company has responded promptly and professionally and gone above and beyond to repair the damage. The response from Equifax has moved in the opposite direction and leaves much to be desired. The website that consumers have been directed to has been broken and created more questions than answers. Their suggestion that they'll repair the damage by offering credit monitoring services that they own seems more like a self serving effort to profit from the breach and there are already questions of insider trading. Equifax needs to act quickly if they want any hope of avoiding permanent and irreversible damage to their corporate brand.
Importance of vigilance and process
It’s not prudent or productive to speculate on exactly what happened. Those facts are emerging now. The prevailing theory at the time this blog was written was that a recently discovered vulnerability in an Apache plugin called Struts may allow remote code execution. A patch for that compromise was released on September 4.
If the Equifax breach was indeed a matter of compromising the Apache Struts attack, other organizations need to move fast to ensure they are not the next victim. This drives home the need to have a clear inventory of hardware and software and personnel to analyze and apply security patches, especially when those systems touch customer data or are part of critical infrastructure.
Wannacry was the result of thousands of companies ignoring or delaying a patch released months earlier by Microsoft for a deprecated protocol not in use by most companies. How many Fortune 100 companies have not applied the patch that was released on Sept 4th for the Struts vulnerability?
How many will now be applying it over the weekend under an emergency change? Simple basic processes can eliminate so many vulnerabilities; it's Security 101. If companies aren't patched by next week, this same attack is likely to be used against other companies.