Back to Basics: What We Can Learn from the Equifax Breach

Print Friendly, PDF & Email

We may still be waiting to hear the definitive version of events which led to the catastrophic Equifax data breach, but one thing is clear: organisations must learn from the firm’s mistakes to improve their own threat protection. The breach of highly sensitive data on 145.5 million Americans – almost half the country – and 400,000 Brits could potentially have been halted by effective layered security including prompt patching and web app firewalls (WAFs). Equifax’s incident response was also poorly managed.

It’s safe to say that, had the incident happened after May 2018, Equifax would be facing astronomical fines under the forthcoming GDPR. Organisations must take note to ensure they don’t find themselves in a similar position next year.

A cautionary tale

The breach at one of the big three credit reporting agencies in the US compromised a trove of PII including names, dates of birth, email addresses, Social Security and driving license numbers, telephone numbers and – in some cases – credit card details. Equifax recently released more information on the incident which seems to suggest a lack of effective patching initially let the bad guys through.

The vulnerability exploited by the hackers was an Apache Struts web server flaw identified and disclosed by US CERT in early March 2017.

“Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure,” the firm said in a statement.

However, that doesn’t seem to have done the trick, as Equifax was forced to patch it again at the end of July. At that time, suspicious network traffic alerted it to the presence of online intruders, forcing it to take an affected dispute portal app offline. It added:

“The company’s internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.”

Patch, patch, patch

Effective patch management is a fundamental cornerstone of best practice cybersecurity. As long as you have a water-tight strategy that suits your organisation’s risk appetite, automated tools can then do much of the heavy-lifting for what is an increasingly labour-intensive task.

Of course, for such a strategy to work, you have to be running supported systems. An FOI request from the BBC recently discovered that England’s second largest police force is still running Windows XP on 20% of its PCs. Greater Manchester Police admitted having more than 1,500 machines still on the unsupported OS, which was ‘end-of-lifed’ in 2014. That’s a serious concern as patches are no longer being released for newly discovered threats on the platform – providing hackers with an easy target.

It’s also true that patching is only effective as part of a layered approach to security. Another key recommendation is to invest in Web Application Firewall technology. This will crucially shield vulnerable systems from all known and unknown threats until they’re ready to be patched – it would most likely have saved Equifax and could save your organisation from a similar scenario. With automated attacks increasingly efficient at exploiting any weaknesses in systems, and IT admins overwhelmed by patch overload, WAFs can provide a valuable safety net.

Incident response fail

We can also learn a lot about incident response from the Equifax case. Many commentators have rightly questioned why, if the firm knew about the incident at the end of July, it took six weeks to disclose to customers. That’s not illegal in the US, but it will be under the GDPR, which mandates 72-hour notifications and maximum fines of 2% of global annual turnover for non-compliance. That could have left Equifax around $63m out-of-pocket based on its 2016 earnings. It may have been on the hook for further fines due to its failure to patch properly in March.

The firm has also been criticized for directing victims to a separate domain – equifaxsecurity2017.com – for more info on the breach. Some researchers found security bugs in the site itself, while others said it looked like a phishing domain; particularly worrying considering it requested visitors to input the last six digits of their Social Security number to check whether they had been affected. The firm further complicated matters by tweeting the wrong link out five times. That link – securityequifax2017.com – had fortunately been reserved by a white hat developer to raise awareness about phishing.

Equifax is unusual in that – given its role as credit agency – it holds the crown jewels of identity data which will be a veritable gold mine for whoever has obtained them. Few organisations will have access to such a broad sweep of PII. But that is no reason not to guard what you have with care, and ensure you have adequate incident response plans in place in case attackers do eventually find a way through. The stakes are simply too high today to ignore best practice security.


Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.

Follow Phil on Twitter here and connect with him on LinkedIn here.

Scroll to top
Tweet
Share
Share