Equifucked: Legal clauses, stock sales and 143 million breached accounts leave Equifax’s reputation in tatters
The credit monitoring giant Equifax has confirmed it has suffered a mahoosive data breach. In a statement Equifax makes a point of highlighting that there is “no evidence of unauthorized access to core consumer or commercial credit reporting databases,” yet admits that, “criminals exploited a U.S. website application vulnerability to gain access to certain files.” Files that could potentially impact 143 million customers in the US.
While the ‘core consumer credit reporting database’ may have escaped hacker attention, let’s not underestimate what they did manage to access. The Equifax statement says that the data accessed includes: names, social security numbers, dates of birth, addresses and driver’s license numbers. Oh, and if that wasn’t bad enough, around 209,000 US consumers have also had credit card numbers accessed. Oh, again, as another 109,000 consumers have had ‘dispute documents’ containing personal identifying information accessed.
But wait, it gets worse. Much worse. It been revealed that three Equifax executives sold nearly $2m of stock just days after the discovery of the breach, but weeks before it was disclosed to the public. Of course, apparently they had no idea about the breach at the time and it was just pure coincidence. Sounds like MRDA to me, truth be told.
That’s not even the worse of the ‘much worse’ bit though. Are you ready for this? If, like many Equifax users, you headed to the site set up by the company to assist users to establish if their data was amongst that compromised, then you will have got more than you expected. Legal language originally used within the terms and conditions disclaimer of that site meant that users would be waiving their right to take class action against the company. Yep, you read that right. Equifax has responded to the emerging category five shitstorm, by removing the clause and insisting that the “arbitration clause and class action waiver… does not apply to this cybersecurity incident.”
All of the above can be summed up as too little too late. As evidence of a major enterprise being totally unprepared in terms of incident response planning.
To be blunt, in reputational terms, Equifax has been welly and truly Equifucked.
Why so? Well, the time it has taken from breach discovery to breach disclosure is frankly shocking. How long? Well the breach was discovered, according to Equifax, on July 29th and it took until September 7th to disclose it. That’s a pretty nice large window through which credit card and other data could be exploited.
Equifax CEO Richard F Smith says that it’s “a disappointing event for our company” and apologised for “the concern and frustration this causes.” That he then states Equifax prides itself on being “a leader in managing and protecting data” would be laughable were it not so serious.
What is laughable, of course, is that Equifax is offering anyone impacted by the breach a complimentary registration to credit file monitoring and identity theft protection provided by, erm, Equifax.
IT Security Thing has been rounding up industry opinion as this news story breaks, and here’s what the security experts have to say about it.
Andrew Martin, CEO and co-founder at DynaRisk:
“Commenting on the news that data from the breach is apparently being ransomed for $2.6m on a dark web market site, Martin says “While this could be a scam, Equifax and their security teams will no doubt be working hard and fast to confirm whether the claims are legitimate. This will involve contacting the alleged hackers and obtaining a sample of the data. Holding stolen data to ransom is a growing and increasingly malicious threat that organisations worldwide are dealing with. Consumers, in turn, must begin taking responsibility for their online safety as the likelihood is that it will someday fall into the wrong hands. The data compromised in the original Equifax breach is an ID thief’s dream – so it’s what happens next that will be critical. The best advice now would be to make sure you are regularly using services that enable you to check whether your details have ever been exposed, and monitor your actual level of online risk and future fraud attempts.”
David Emm, principal security researcher at Kaspersky Lab:
“This is yet another case of a breach becoming public long after the incident itself occurred, which underlines the need for regulation. It’s to be hoped that the GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and, secondly, notify the ICO of breaches in a timely manner.”
Andrew Clarke, EMEA director at One Identity:
“143M consumers is a massive hit. And the immediate damage is to the reputation of Equifax. After hours share price is dropping which takes millions off the companies value plus the inevitable regulatory inspections and subsequent fines – this will absolutely cause them long-term damage.”
Lee Munson, security researcher at Comparitech:
“Anyone potentially affected by the breach has some work to do now. While it is not known whether card data was encrypted or not, I suspect it is likely that personal information was easily accessible. Given how many people create usernames and passwords based on family names, or still use sites with ‘secret questions’ to which the answers are inherently personal, a change of passwords across a number of sites may well be in order right now.”
Tim Erlin, VP of product management and strategy at Tripwire:
“The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans.”
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies:
“At this stage we don’t know how the data was stored, so it is difficult to determine the severity of the breach. For example. we don’t know if the credit card data was encrypted, or exactly what data was actually stored and where – such as, whether the account numbers were stored on their own or with other personal information. These details will dictate the severity of the breach, and the risk to Equifax customers.”
Ilia Kolochenko, CEO of High-Tech Bridge:
“Many businesses and financial institutions rely on the compromised information. Now cybercriminals have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach. We should be prepared for skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage.”
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks:
“No doubt Equifax has been working feverishly behind the scenes since it found the breach in July. All businesses must think about the steps they would take in similar circumstances to investigate a breach, track the data lost and put together a communication plan to customers. Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss, which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.”
Chris Morales, head of security analytics at Vectra:
“Equifax needs to raise its cybersecurity score. Enterprises have to realise they cannot address cybersecurity by simply spending money on intrusion prevention solutions and instead need to shift investments to detection and response solutions that are being used by today’s advanced attackers. The cyber attackers gained a foothold by seemingly exploiting a web application vulnerability. From there, they most likely escalated privileges, abused credentials and admin protocols, moving laterally through the network, which businesses rarely have the necessary tools to detect.”
Dr. Richard Ford, chief scientist of Forcepoint:
“The unfortunate Equifax breach is just another embodiment of the threat environment that organisations face every day – this is the new normal. The rise of large scale data collection and aggregation has placed considerable pressure on organisations to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorised users.”
Paul McEvatt, senior cyber threat intelligence manager at Fujitsu:
“What businesses in the UK should take away from this breach is the seriousness of data protection. The implementation of GDPR is going to be upon us before we know it, where businesses will also have to pay regulatory fines on top of any customer fall out, brand damage and stakeholder relations they would have to manage. Organisations need to take these headlines as a warning and use this as an opportunity to get all of their cyber measures in place.”
Kenneth Geers, a senior research scientist at Comodo, NATO Cyber Centre ambassador and former NSA/NCIS analyst:
“On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action. The fact that the Trustedid.com site isn’t yet working means that Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”
Fleming Shi, SVP advanced technology engineering at Barracuda:
“The vulnerabilities in this breach are quite commonly exploited by hackers. It is easier to exploit vulnerable software hosted on a website because once this vulnerability is exposed, an attacker can “practise and refine” before pulling the trigger on a major attack. All that is needed is the vulnerable version of the hosted software in QA. When website code is independently vulnerable, the nefarious actor must go through trial and error to find gaps in protection. Most reputable sites have a web application firewall in place, which can detect anomalous behavior and prevent continued attack activity on the site. In short, it is more difficult to uncover vulnerable code, but can produce lucrative results if exploited.”