We may still be waiting to hear the definitive version of events which led to the catastrophic Equifax data breach, but one thing is clear: organisations must learn from the firm’s mistakes to improve their own threat protection. The breach of highly sensitive data on 145.5 million Americans – almost half the country – and 400,000 Brits could potentially have been halted by effective layered security including prompt patching and web app firewalls (WAFs). Equifax’s incident response was also poorly managed.
It’s safe to say that, had the incident happened after May 2018, Equifax would be facing astronomical fines under the forthcoming GDPR. Organisations must take note to ensure they don’t find themselves in a similar position next year.
A cautionary tale
The breach at one of the big three credit reporting agencies in the US compromised a trove of PII including names, dates of birth, email addresses, Social Security and driving license numbers, telephone numbers and – in some cases – credit card details. Equifax recently released more information on the incident which seems to suggest a lack of effective patching initially let the bad guys through.
The vulnerability exploited by the hackers was an Apache Struts web server flaw identified and disclosed by US CERT in early March 2017.