The Equifax breach: consequences, implications, and sequelae.
There are credible reports that an extortion threat has been made in the dark web, presumably to Equifax, threatening to dump stolen credit card numbers if a 600 Bitcoin ransom (about $2.6 million) isn't paid by September 15th (Surfwatch Labs). There are also reports of a spike in credit card fraud (New York Post). That spike is likely to be large and enduring, given the scale of the breach, but the incident is having major consequences beyond simple crime.
Mike Shultz, CEO of Cybernance offered some general thoughts:
"This breach is totally inexcusable. This wasn’t a technical assault – this was a simple access by hackers through web application that was not properly secured. This critical breakdown of internal defenses is no different than every major breach of significance in the past two years, but the sensitive information accessed points to extreme danger for the personal wealth and financial health of our economy. This is the 9/11 moment that the NIAC has been warning about.
"Commercial enterprise is the front line of defense against hacking, and the 143 million records compromised suggests every family in the U.S. is affected. The bad guys now have your financial information, your employment history, your children’s names, what school they attend – this is a tsunami of personal risks to all U.S. citizens, not just the 44% who were directly affected. It is inconceivable the amount of information these firms hold, and the long-term effects are massive. How do you get a job or buy a house when the U.S. economy has been compromised? This goes down to the fiber of the United States, and a breach of this caliber has the potential to freeze the credit reporting system, the banking system, and do major damage to the global economies as a whole.
"What’s the solution? The government has clearly endorsed the use of the NIST Cybersecurity Framework to strengthen enterprises from this devastating caliber of risk by focusing on people, policies, and processes. Had NIST CSF been employed by Equifax, this breach would not have happened. Further, the government provides protection for companies who use NIST and designated technology covered by SAFETY Act. These functions are in recognition of the risk to the U.S. economy from breaches just like this – this is no longer a suggestion, it is necessity.
"It is the fiduciary duty of every C-suite and board of directors to act with reasonable business judgement to protect private information of consumers, and the fact that proper security measures were not set in place and consumers’ information has been held for weeks without notice means that responsibility has not been upheld. The FBI’s involvement since the breach was identified in May, and their offering of one year protection for every citizen in the U.S. also suggests that the ripple effect of this breach may be even greater than we’re aware. With the massive epicenter of today’s announcement, it is reasonable to assume that every board of directors and C-Suite has also been breached. Perhaps now they’ll get serious about defending personal information – or suffer the severe financial, reputational and personal consequences now being faced by companies like Yahoo."
"This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space," Ilia Kolochenko, CEO of High-Tech Bridge, said. He added:
"Many businesses and financial institutions rely on the compromised information. Now cybercriminals have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach. We should be prepared for skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage.
"It's a very colorful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond. Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security. Most companies don’t even have an up-to-date application inventory. Without knowing your assets, you won’t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims for example."
The impact on Equifax.
Equifax (NYSE:EFX) shares closed down 13.66% on Friday, September 8, 2017 (Google Finance). That's bad, but it's also not a Wall Street death sentence. (Seeking Alpha even calls it "much ado about nothing.") It's worth pointing out that it's not necessarily the company's customers who are being hurt. It's the consumers those customers are paying Equifax to rate who are now facing the prospect of fraud, damage to credit, and identity theft. The US Federal Trade Commission (FTC) has posted some quick advice to consumers about how they might begin to protect themselves.
The company's regulatory risk and exposure to litigation will bear watching. The FTC and the US Securities and Exchange Commission (SEC) are likely to take a close interest in the incident, as are a variety of State regulatory bodies and Attorneys General (CNN). The plaintiff's bar is of course already preparing its cases (TechCrunch, PRNewswire). A report from Baird Equities Research offers an early overview of the incident's likely effect on Equifax.
Bill Mann, chief product officer at Centrify, commented on the market's reaction:
“Equifax’s stock declined five percent the day its breach became public. This is directly in line with a recent Ponemon study that found this to be the historic average on Day One. The long-term impact will likely be greater, as this breach impacts millions of consumers who trust Equifax with their most personal information, and trust is at the core of their business. Based on its severity and the sheer numbers involved, a breach like this will displace consumer trust, and potentially wipe out additional value quickly. Data breaches are a very real business with bottom line concerns. Today’s cybersecurity is not secure, as it’s far too easy for hackers to access corporate networks via exploits including excess privilege, password capturing, etc. In order to avoid financial and reputational ruin, organizations must rethink their approach to security.”
It's not just Equifax: other data handlers will feel secondary effects.
Equifax competitors TransUnion and Experian have also taken a hit to their share prices as investors react with a degree of panic (Times of India). Credit Bureaus are not the only ones who should perceive this as a warning. It's been clear for some time that holding great quantities of personal information exposes organizations to great risk.
"The unfortunate Equifax breach is just another embodiment of the threat environment that organizations face every day – this is the new normal," said Dr. Richard Ford, chief scientist of Forcepoint. He added:
"The rise of large scale data collection and aggregation has placed considerable pressure on organizations to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorized users. Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to augment legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of people, data and systems can become the critical point for effective security and compliance.”
Dallas N. Bishoff, Director – Security Services at Stratiform, also sees more general risk. “The recent event at Equifax, similar to prior events at other organizations, once again targets the data," he said. "Whether the data is privacy, financial, healthcare, or intellectual property, data has value. It can, and is traded in the cyber underground. Therefore, it is entirely predictable that all organizations with substantial data collections will remain targets. This week it was Equifax, but every week, most companies are at risk."
"It will take months or years for Equifax to recover – from both the impact on its stock and on consumers’ trust – and no doubt they’ll be learning from this for years," said Ray Rothrock, CEO and Chairman of RedSeal. "For those who worry, “Are we next?” we need to learn from Yahoo!, which not only lost $350 million on its deal with Verizon because of their hack, now their customers can sue Verizon, as a result. Digital resilience is the answer. Companies that pay as much attention to protecting their high value assets – like customer data (Equifax, Yahoo) or content (HBO) – and can battle the bad guys when they’re inside the network will maintain their value as well as the trust of their customers and investors."
And, of course, consumers should brace for fraud and identity theft.
Michael Patterson, CEO of Plixer predicts, “This breach will have devastating consequences for many of the people whose data was compromised. Cybercriminals have all the data they need for identity theft including names, social security numbers, birth dates, addresses and driver’s license numbers. The cost of this breach will be enormous for not only for Equifax, but more importantly for the millions of innocent consumers who have been affected. Consumers can reduce their risk by going to [the FTC site] and taking steps to establish a credit freeze. Equifax needs to quickly scrutinize historical network traffic analytics to identify and proactively notify every single person whose data was compromised.
Ryan Wilk, Vice President of Customer Success for NuData Security says, “The scale of this data breach is huge, and is likely to have a significant impact in the cybercrime world. Breaches such as this, with sensitive and highly valuable personal data involved act as a pipeline for further cybercrime. Those involved should be extra vigilant in keeping an eye out for spearphishing and other targeted cybercrime attempts. As for Equifax, this kind of incident amplifies the voices calling out for a more secure method of accessing accounts. Combining two-factor authentication with a passive biometric solution would render these kind of breaches a thing of the past.”
Tim Crosby, Senior Security Consultant, Spohn Security Solutions, observed that there's considerable uncertainty about what the attackers will do with the information they took. "We know what they got – what we don’t know is: Did they change any information? Back to security basics - the CIA triangle (Confidentiality, Integrity, Availability) …we know confidentiality was breached, what about Integrity of the data? We know – the data is all too available."
However the breach occurred, the incident is calling into question the continuing use of Social Security Account Numbers for either identification or authentication (Motherboard).
Update, 9.17.17.
Ilia Kolochenko, CEO of High-Tech Bridge, offered additional comments on the incident.
“Thorough and unbiased investigation is quintessential to understand the reasons and scope of the breach. Many data breaches are under-investigated and lead to repetitive attacks and aggravated consequences for the victims. Let’s hope that this cooperation with government will permit Equifax to identify the attackers, minimize the overall damage of the attack and improve their internal security processes.”
Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint, had this to say:
"Not only is there a heightened awareness level among consumers and their concerns about theft, fraud and security, there’s also a greater risk of potential harm due to the sensitive financial data Equifax holds. Several federal and state agencies are investigating the incident, and consumer advocacy groups preparing to sue Equifax, whose notification and response plan, to date, has been less than ideal. But as Equifax reported, the breach came from an exploit in a web application vulnerability. Aside from any specifics, it’s a good time to pause and reflect on what we can learn from this breach, even before we know the full details.”
For those interested in some of the regulatory standards companies must meet in handling incidents, eSentire offered the following helpful rundown. They point out that "the breach notices would have required Equifax to report the incident to their clients in 24 hours, not weeks. And, because Equifax retains bigger clients in New York, they are governed by DFS NYCRR rules, which dictate 72 hours for breach reports – again, not weeks." And eSentire poses the obvious question: "Did their clients receive notification within this timeframe?"
It's a complex legal and regulatory environment. Much of the reporting on the incident has focused on Federal regulatory action, but the variety of state laws that could come into play may be at least as, if not more consequential than, Federal statures. Mark Sangster, VP and Industry Security Strategist at eSentire said:
“Given the nature of Equifax data and the magnitude of the breach make this a watershed moment in breach detection and response. Many difficult questions will be asked and become the crux of numerus legal actions that will likely stem from this event. The most obvious, is why it took so long to disclose the breach. The risk to consumers begins to drop exponentially as soon as the breach becomes public, and affected companies and consumers can take defensive measures to protect their financial identity and funds.
"Yet, Equifax waited over a month to respond and provide breach notice. Headquartered in Atlanta, Equifax is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.’ In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?
"Moreover, other state laws might come into play. Major banks based in New York no doubt rely on Equifax for credit information may have clients affected during this breach. New York has very stringent and proactive cyber regulations through the state Department of Financial Services. As such, these banks would have 72 hours from the determination of a cybersecurity event to provide notification. Did Equifax clients receive notification within this timeframe?
"Many financial companies have much to lose, and numerous protection laws will be tested. And of course, through all the inevitable finger pointing, will be the consumers who have been affected by this breach and will struggle to find reasonable resolution through this highly complex, highly charged, game changing event.”
Update, 9.20.17.
Extending regulation.
New York's Governor Andrew Cuomo is considering imposing new registration and compliance requirements on credit reporting agencies operating in the state (New York Times). Additionally, the state's Attorney General has pressed Equifax competitors TransUnion and Experian to disclose their own security practices (WWNY).
We heard from Tony Urbanovich, Chief Operating Officer at CyberGRX, who thinks in general this isn't a bad idea. “Subjecting credit reporting companies to the same stringent standards that financial services companies are accountable to is an idea that’s long overdue," he said in an email, "but doing so will put a tremendous strain on security and risk teams that are already strapped for resources. The requirement to conduct regular cybersecurity assessments is a big part of these regulations, and will force companies to rethink the way they manage and mitigate third-party cyber risk. Effectively managing the strain on resources is not an easy task and will require a proactive and collaborative approach to understanding their exposure to third-party risk, something that is encouraged in New York’s cybersecurity regulations.”
How consumers should protect themselves.
So what should people do if they've been affected by the Equifax breach? Here's some advice we received from Dr. Richard White, formerly Chief Information Security Officer for the United States Capitol Police, the managing director for Oxford Solutions and course chair for the Cybersecurity and Information Assurance program at the University of Maryland University College. He recommends that consumers protect themselves by:
- "Watching out for phishing schemes: Be on the lookout for phone calls or emails from people claiming to be from Equifax. If this happens, tell them you will call Equifax back directly at the published 1-800 number. You can ask for a case number or reference number and then call the company yourself. If it is a reputable caller, he or she will not have a problem with you wanting to protect yourself."
- "Watching out for Typosquatting or URL hijacking: When this happens, you receive an email directing you to a website or online form that looks exactly like the Equifax or other consumer credit reporting agency websites. They copy the HTML page to look identical to that of the company they are pretending to represent. But look closely: Equifax might be spelled Equ1fax or instead of a .com the hackers will use .uk or .au., or change the phone number and other minor details. Again, in this case, call the company directly yourself."
- "Keeping a regular eye on your personal information: Stay on top of all of your personal information including bank accounts, credit card statements, retirement accounts and your mortgage. Make sure the dollar amounts are correct and lookout for any fraudulent charges. Pay attention to entitlement programs like social security or Medicaid. If you are not receiving social security, make sure your status doesn’t show as receiving it. Check your credit every six months to make sure everything is in order and get a well-rounded picture of everything."
- "Being smart about passwords: Have different passwords for every account. Change your passwords every three months. Never choose a password that is your child’s name or spouse’s name. Never use birthdays. Make sure your passwords aren’t simply words but that they contain numbers, special character and both and upper and lower-case letters."
- "Locking your credit, sign up for credit monitoring and fraud alerts: You can lock your credit by contacting the credit agencies and requesting a lock be put on your credit. Just remember to remove the lock if planning a big purchase like a new home or car. Place fraud alerts with the major credit bureaus, Equifax, Experian and TransUnion, and you can also signup for credit monitoring. Look into programs like LifeLock which provides cost effective credit monitoring and identity theft protection."