In the news
Equifax: Failing to Learn Vital Cybersecurity Lessons
In the weeks running up to this issue’s release, US credit report company Equifax admitted it had been hit by a massive and preventable data breach. Lucy Ingham explores why the attack is evidence of how much more seriously cybersecurity still needs to be taken
Just over a week before this magazine was due to be released, news broke of a massive data breach affecting the customers of US credit report company Equifax. Between mid-May and the end of July this year, hackers accessed the company’s systems, making off with the data of 143 million people in the US – just over half the country’s adult population.
The data obtained varies by individual, but includes names, birth dates, addresses and social security numbers, as well as – in some cases – driver’s licence numbers. Some 209,000 people have also had their credit card numbers stolen.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Richard F Smith, Equifax chairman and CEO, wrote in a company statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”
While news is still emerging about the extent and complexity of the breach, it is clear that this is a very severe incident.
However, what is arguably more worrying is that it appears that Equifax has utterly failed in learning from other similar breaches in the past, suggesting that major companies are not doing anywhere near enough to prevent history from repeating itself.
Software security: Vital to stopping Equifax-like breaches
While Equifax was initially extremely vague about the nature of the breach, saying only that hackers had “exploited a US website application vulnerability to gain access to certain files”, the company eventually admitted what had happened.
“The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application,” the company wrote in a statement published on 15 September 2017.
“The particular vulnerability in Apache Struts was identified and disclosed by US CERT in early March 2017,” the company continued, referring to the United Stated Computer Emergency Readiness Team, a cybersecurity intelligence service run by the US government.
“Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
However, if this characterisation of events is true, it highlights a very poor response to the vulnerability. Equifax has said that it “believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017” – a whole two months after the vulnerability was identified and the company’s security personnel allegedly began working to fix it.
“It is unacceptable that credit bureaus, which hold so much personal information which they then sell, can allow such a breach to happen and practice poor security hygiene,” commented Ondrej Vlcek, CTO and general manager of the consumer division at antivirus provider Avast.
“In case you were wondering why software security is important, here is yet another lesson why.”
“Companies like Equifax are supposed to be the bastions of customer data,” added Richard Parris, CEO and chairman of security company Intercede. “Yet, as has worryingly become commonplace today, businesses are continuing to neglect how they protect customer data – and even their own data.”
Breaches resulting from such neglect have happened many times before, often as a result of hackers finding ‘backdoors’ into systems, as was the case in this instance.
“Hackers are consistently searching for these vulnerabilities, and companies, especially those with access to so much sensitive information, need to significantly increase their diligence in maintaining security of their data,” said Vlcek,
In particular, companies need to ensure that all points of access to their databases are equally secure, as the proliferation of different apps for different platforms can result in the security of some access points being neglected.
“In case you were wondering why software security is important, here is yet another lesson why,” said Dr Gary McGraw, vice president of security technology at Synopsys Software Integrity Group.
“When a large database is connected to the internet through various applications and is not designed and implemented to be secure, things like the Equifax breach happen.”
Not just Equifax: Too many companies are ignoring cybersecurity
Major cybersecurity events are becoming increasingly common, and it’s not just a case of hackers stepping up their game. The sad fact of the matter is that despite repeated warnings and a slew of high-profile breaches that have caused share price drops, major reputational damage and a string of resignations, companies are still not taking cybersecurity anywhere near seriously enough.
A recent survey by Intercede, for example, found that poor security remains shockingly widespread.
“Recent research we conducted found that 86% of systems administrators within major enterprises – those people that hold the keys to an organisation’s kingdom – are using basic password authentication to protect data,” said Parris. “What’s more, 50% of respondents admitted that business user accounts in their organisations were ‘not very secure’.”
It’s clear that Equifax is not alone in not taking cybersecurity seriously enough, and that has resulted in a significant percentage of consumers being very seriously affected by data breaches.
“Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears.”
“It’s no surprise that we’re seeing hack after hack. But it’s no longer acceptable to put customers at risk, advising them to ‘change or use complex passwords’ when passwords are the root cause of the majority of data breaches today,” added Parris. “Businesses have been warned that current security methods are no longer enough to fend off cyber criminals and it’s us – the general public – that are left to wonder who has access to our data and which of our online accounts could be compromised next.”
It is, however, important to remember that effective security can be achieved, and that businesses have no valid excuse for failing to stop this type of attack.
“The right security methods are out there – strong authentication that incorporates multiple levels of authentication such as PIN numbers, devices and biometrics. This makes it much more difficult for cybercriminals to hack into systems,” he said.
“But it appears businesses are getting lazy and lack the volition to make change; Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears.”
Reputation: Why Equifax’s management of the breach could make things worse
Beyond the technical concerns, Equifax also appears to be making the same mistake as several previously hacked companies in that its management of the situation looks set to cause significant damage to its reputation.
First and foremost, the time it has taken for the company to officially acknowledge the breach is uncharacteristically long, and is resulting in significant criticism, with any reasoning offered by the company – despite potential legitimacy – feeling like weak excuses.
Similarly, while the company’s chief information officer David Webb and chief security officer Susan Mauldin have both stepped down, this has done little to boost public sentiment, particularly as Mauldin had already come under significant criticism for being a music graduate rather than a computer science major. Essentially, this has not been perceived as a fixing of the problem in any manner, but it ultimately does nothing to write the wrongs of the breach.
However, perhaps most significant is that Equifax’s attempts to ‘help’ consumers have resulted in it repeating the same poor security practices that led to the breach in the first place.
“It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further.”
“In response to the breach, Equifax created a website – Equifaxsecurity2017.com – that offers free identity theft protection and credit file monitoring to all US customers,” said Etienne Greeff, CTO and co-founder of SecureData.
“However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further.”
Such a move was likely an attempt to mitigate reputational damage, but it appears to be backfiring, particularly given how vague the company initially was about the attack.
“Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cybercriminals,” added Greeff.
“In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened.”
Equifax breach victims: What customers can do
What, then, can the 143 million victims of the breach do to protect themselves?
Unfortunately, with the situation still unfolding, the advice at present is largely to watch and wait.
“This is one of those cases where there is unfortunately really nothing consumers can do except be vigilant. We expect it is only a matter of when, not if, this data appears on the dark web market,” said Vlcek.
“We expect it is only a matter of when, not if, this data appears on the dark web.”
However, there are a few actions that you can take in the meantime.
“At this point there are a few actions potential victims can take to help ensure they are protected. First closely monitor all email, social, credit card and bank accounts for suspicious activities. Second, consider looking into a credit freeze that will stop hackers from using your identity to accrue debt,” he said.
“Also, don't respond directly to emails and other messages notifying you that you're a victim. They may be scams. Instead, open up a new tab and log in directly to the site in question, or call the support center number listed on their site.”