Global credit-report agency Equifax has been hit by a critical data breach, affecting the private data of around 143m customers.
Cyberattacks are thought to have gained access to sensitive customer information such as names, social security numbers, dates of births, addresses and driving licenses, leaving those affected extremely vulnerable to identity theft.
Additionally, Equifax has stated intruders had accessed files containing credit card numbers for roughly 209,000 US consumers as well as “certain dispute documents with personal identifying information for a further 182,000.
This week has been an unfortunate week for data breaches as the Equifax attack comes days after Taringa, known as the “Reddit of Latin America”, was infiltrated leaving nearly 30 million user credentials exposed.
Naturally, experts from the cyber security industry were available to give their opinions to the IT Security Guru on the Equifax breach, which is being considered to be one of the biggest data breaches of the 21st century:
Chris Doman, security researcher at AlienVault
“This isn’t the first time that a credit monitoring service has suffered a massive breach. It would likely have taken hours or even days to download all that information from Equifax’s database – all without anyone noticing. Equifax haven’t said exactly how the attackers stole this information – but normally when this happens it’s the result of a simple SQL injection vulnerability. It’s a shame to see that despite waiting 6 weeks to tell customers, Equifax’s website telling customers of the breach is broken. Unfortunately, in this case, there isn’t much customers can do. Now the data is out there, it’s out there. There are reports the data is already available on the black market – though they may be fake. Equifax are offering free credit monitoring in response to the breach, which ironically has been a growing service of theirs in response to other cyber security breaches. But frankly I wouldn’t take them up on the offer as they aren’t capable of protecting the additional data you would need to give them. “
Giovanni Vigna, CTO and co-founder of Lastline
“Even though every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data, this particular breach has provided a very complete set of financial information items to the attackers, who can leverage this data for sophisticated attacks. With a breach this large, the impact this data is likely to have as a pipeline for further cybercrime is significant. Criminals will merge data from multiple sources, building dossiers on potential victims, including spear phishing targets inside corporations. Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks, and web applications. The blurring of personal and professional use of enterprise assets, such as laptops, underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats and evasive malware that could be introduced as a result of an infected personal device. Data breaches provide a distribution hub for malware for years to come, but modern firewalls, current authentication measures and a new generation advanced malware detection system using behavioral identification methods (versus signatures or hashes) to detect malicious code are key elements in the fight to protect account holder information from being breached and thereby defend brand reputation.”
Andrew Clarke – EMEA Director at One Identity
“Whenever news breaks of a cyber attack nowadays it just seems to get worse every time. 143M consumers is a massive hit. And the immediate damage is to the reputation of Equifax.
After hours share price is dropping which takes millions off the companies value plus the inevitable regulatory inspections and subsequent fines – this will absolutely cause them long-term damage. It is also revealed that 209K customer credit card numbers were accessed – if this is the case, it breaks PCI regulations plus causes a logistically nightmare for the affected consumers and credit card providers. We have witnessed many cases now of this type of incident and experience shows that it is basic measures that would have cost substantially less than the impact costs to mitigate.
Often we see privilege or administrator accounts being used to gain super-user status in the infrastructure which enables attackers to plant malware and circumvent security measures to access what would be otherwise secure records and databases. Privilege Access Management is proving to be one of the most foundational measures that a company can take to control and manage this risk. Other factors include user education coupled with best security practices embracing tools such as firewalls; patch management and vulnerability assessment to close loop-holes and limit exposure. In addition, the fact the attack occurred from mid-May to mid-July points to the fact that tools such identity analytics and risk intelligence are not in place or working effectively here.
After this attack, as Equifax attempt to recover their position, big questions will be asked in the board-room – but as ever post attack these are always challenging to deal with – it is far better to anticipate that this type of attack is very likely now and have detailed plans to deal with it both from a technical perspective but also a public relations perspective. Unfortunately, after the event it is often too late to save the day!”
Bill Evans – One Identity
“As a US citizen, I’m infuriated. As a cyber security expert, I’m appalled. Perhaps no other piece of personal information, other than healthcare information, is as vital as my credit score. It determines my viability for credit and the rate at which I can obtain credit. I have spent a lifetime building decent credit. And now one of the three agencies that has so much influence over what I can and cannot do with my finances has failed to uphold its end of the bargain. To be clear, Equifax has stated that credit scores were not compromised directly; rather, the only information taken includes names, address, birthdates, driver’s license numbers and credit card numbers, which is, in some cases, about all the information someone (else) needs to sign up for credit using my identity. The good news is that my personal information was also compromised in the Office of Personnel Management attack several years ago and I got free monitoring as a result. Now, thanks to Equifax, I’ll continue to get credit monitoring for several more years…free of charge.
“We do know that the hackers used a website vulnerability to gain access to files, but we’re not sure specifically how. A longer-term forensic analysis is required to get to the root cause of this breach. But if it’s like so many others, the hackers were likely after a privileged account – those accounts that provide access to the “keys to the kingdom” which in this case includes my personally identifiable information or PII. Regardless, other companies should take heed of this situation and ensure they are, at least, doing the basics of cyber security correctly. This includes deploying a privileged access management solution, ensuring all accounts – end users and admins – are using multi-factor authentication, patching servers with the latest security releases from vendors and perhaps most importantly educating your users. These four steps are perhaps the most vital to ensuring our data remains safe.”
Lee Munson, Security Researcher at Comparitech
“The scale of the Equifax breach, if the quoted figure of 143 million compromised records turns out to be accurate, is immense and could have far-reaching consequences for its American customers. That the target of this breach is a company that deals in such sensitive information, including credit card numbers and bank account details, highlights the value of personal and financial data to those who would steal it. Anyone potentially affected by the breach has some work to do now. While it is not known whether card data was encrypted or not, I suspect it is likely that personal information was easily accessible. Given how many people create usernames and passwords based on family names, or still use sites with ‘secret questions’ to which the answers are inherently personal, a change of passwords across a number of sites may well be in order right now. Also, with the same information being an identity thief’s goal, regular checks of bank account statements and credit reports will also be the order of the day, though those affected may want to choose a service from a different credit bureau for this purpose! Lastly, as with all breaches, Equifax customers should also be on the lookout for spam and targeted phishing emails which use the event to create convincing lures into worlds of even more hurt for them.”
Tim Erlin, VP at Tripwire
It’s clearly early days for this news, and we can expect to learn more about the details in the future. With nearly every publicly announced breach, there’s new information discovered after the initial disclosure. The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans. All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches. A breach isn’t a single point in time, but a span of time in which an organization is compromised. Prevention is primary, but detection and response are absolutely necessary as well.
Andreas Kuehlmann, senior vice president and general manager, Synopsys, Software Integrity Group
“We’ve grown accustomed to data breaches, but what events like this and the recent ransomware outbreaks bring to light is that the scope and impact of cyberattacks are intensifying. We are more interconnected and dependent on software than ever, and when that software or those who maintain it are compromised, the consequences are becoming increasingly disruptive. It is imperative that organisations take a more proactive and aggressive stance on security – and it starts with building more secure software.”
Dr. Gary McGraw, vice president of security technology, Synopsys, Software Integrity Group.
“In case you were wondering why software security is important, here is yet another lesson why. When a large database is connected to the Internet through various applications and is not designed and implemented to be secure, things like the Equifax breach happen.”