The Equifax breach: an overview.
On Thursday Equifax, one of the big-three US credit bureaus, disclosed a major data breach. It affects 143 million individuals, mostly Americans, although data belonging to citizens of other countries, for the most part Canada and the United Kingdom, were also hit (Ars Technica). While not the largest data breach ever (Yahoo! still holds that record), it may be among the most damaging in its effect.
Equifax has confirmed it detected authorized access, which indicates that this was a case of data theft, not simply exposure. The information that was taken include names, Social Security Account Numbers, dates of birth, and addresses. Large subsets of the affected individuals also lost credit card numbers (some 209,000 cards), dispute documents (which you might file if you wished to correct something in your credit record), and driver's license numbers (about 182,000 consumers lost personally identifying information) (KrebsOnSecurity). There are reports that the data were not encrypted.
The company said in its disclosure that core credit record databases were not compromised. Those include such information as late payments, bad debts, and so forth. Most observers have found that cold comfort at best—the data lost are more than sufficient to commit all manner of fraud and identity theft (Help Net Security).
“If we look at this from a helicopter perspective - a society that can’t protect its citizens’ personal information will eventually see the system collapse,” says Ebba Blitz, CEO of AlertSec. “Once a social security number is no longer a valid means of identifying oneself we have to establish a new, as of yet unknown, order. It’s of utter importance that ALL personal data is protected. In the short term, every American adult should request a credit check and monitor their financial records closely.”
Viewpost’s Chief Security Officer, Chris Pierson, thought it "noteworthy that the CEO appeared in a taped video statement to announce the breach, and this is important from a governance and accountability perspective." Pierson compared the incident to an earlier credit bureau breach. "It is interesting to note, that another credit monitoring agency (Experian) was also breached in 2015 not for payment information, but for key data on consumers that might make its way into credit reports. Once more information on what was exfiltrated is known we will be able to discern a more accurate motive, but the hackers could be interested in key PII they can sell, additional authentication information useful in 'identity verification' controls, or just normal payment information."
“This isn't the first time that a credit monitoring service has suffered a massive breach," said Chris Doman, threat engineer at AlienVault. "It would likely have taken hours or even days to download all that information from Equifax's database - all without anyone noticing. Equifax hasn't said exactly how the attackers stole this information - but normally when this happens it's the result of a simple SQL injection vulnerability."
We've received further reaction from experts in the security industry.
“Not only is there a heightened awareness level among consumers and their concerns about theft, fraud and security," observed Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint, "there’s also a greater risk of potential harm due to the sensitive financial data Equifax holds. Several federal and state agencies are investigating the incident, and consumer advocacy groups preparing to sue Equifax, whose notification and response plan, to date, has been less than ideal. But as Equifax reported, the breach came from an exploit in a web application vulnerability. Aside from any specifics, it’s a good time to pause and reflect on what we can learn from this breach, even before we know the full details.”
John Suit, CTO at Trivalent, said, "In this case, hackers gained access to the data of credit reporting agency Equifax, potentially compromising personally identifiable information like social security numbers and addresses of 143 million American consumers. The data was found by exploiting a weak point in website software. A revelation of this immense size should serve as a wakeup call to organizations everywhere. Companies that store employees’ and customers’ information are targets to identity thieves. The only way to get ahead of a data breach is to address it as a likely probability, rather than impossibility. Organizations must seek next generation data protection solutions that will keep sensitive information safe – even in the event of a breach.”
"The Equifax breach is the one that pulled down all of America’s pants," is how Andrew Bagrin, founder and CEO of OmniNet, summed it up. He added:
"The information you kept closely guarded is now out there in the hands of the bad guys. By taking all the information someone would check to validate your credit, it is now quite simple to impersonate you and take money from anywhere based on your outstanding credit rating.
"The good news is that with close to 150 million records stolen, there’s not enough bad guys to exploit all of it any time soon—the chances of your identity actually being used is low. At the same time, this breach has put everyone on the same playing field—instead of identities of only those who are careless get continuously stolen, this reduces their recurring events and increases the events of those whose identity was previously safe.
"If this breach teaches us anything, it’s that everything is connected, we need to eliminate all weak points. We spend all of our time focusing on the front door and forgot to check if the window was left open.
Robert Capps, Authentication Strategist and Vice President of NuData Security offered this perspective:
“We are currently in a post breach reality and there is likely very little truly private data regarding consumers any longer. The sheer amount of data available to malicious actors will make data-based authentication very difficult. There is no ready technology or product available today to replace knowledge-based identity assertions online. The big question for organizations is how to continue to operate if all of the traditional consumer data elements are known to not only the consumer but also to an adversary as well? Monitoring of consumer behavior, along with passive and active (or physical) biometrics, can continue to protect systems while the identity assertion framework for consumers is reinvented. Decentralized identity is a great framework for building consumer identity and authentication for the post-breach future. In the meantime, companies will face added pressure from fraud and malicious use, as cybercriminals continue to exploit weaknesses in the current online identity assertion process. Fraud teams will face more uncertainty as to which transactions are real, and which come from a malicious actor."
It's been reported that Equifax sustained another, earlier breach back in March, some time before the later, more famous intrusion via an unpatched Apache Struts vulnerability (Bloomberg). Early reporting suggested that Equifax kept that breach quiet until just now, but that's not the case. In fact the credit bureau did disclose that incident to affected parties and regulators. The industry press picked the story up; the major media tended to overlook it (The Hill).
We received some reflections on the role the CIO should play in security, and on who should (or should not) take the fall for breaches of this kind from Ivanti's Chief Technologist, Simon Townsend. "In the aftermath of Equifax it’s easy to argue that the CIO carries the ultimate responsibility for securing and protecting the business and hence the CIO should take the fall," he said in an emailed comment. "This however is the same CIO many of us are suggesting needs to help IT drive the business, not just support it. We are asking a lot from our CIO’s and ultimately there are still people below the CIO who’s actual job responsibility it is to patch, protect and detect when things go wrong. Through the unification of IT technology, people and processes, the CIO would do well to ensure they have better visibility of both discovered data points and actionable tasks."