What's the Crack with the Equifax Hack?20th Sep 2017
Now that the dust has settled somewhat, we thought we’d give our view on yet another headline grabbing, panic-inducing data breach.
Was the Equifax hack unique in any way? Should this be the one data hack which compels us all sit-up, take note and change our approach to data security? Or, was it simply another scalp to be displayed on the mantle of the hacking community, no more meaningful or meaningless than the last?
The Equifax hack made global headlines for two main reasons: 1) the vast majority of individuals of a certain age will be familiar with the company and, 2) more importantly, the data that they hold is about as sensitive as it gets in terms of personal privacy and identity theft.
Many mainstream media headlines focussed, quite rightly, on the tardy nature of the Equifax response, with reports suggesting that the company knew they had been targeted long before the official news broke.
In fact, we now know this timescale – from breach to patch – was approximately two months and from patch to disclosure, a further 38 days. That, in the words of Jim Lucking, Ensign’s resident cybersecurity expert, “is incredibly worrying”.
The Equifax hack showed us, once again, that syphoning data is a very effective method of extraction.
Hackers are too smart to operate ‘smash-and-grab’ operations, preferring instead to quietly syphon-off valuable data over extended periods of time. Using this ‘under-the-radar’ tactic, it is far harder for businesses – in particular those of significant size – to detect incremental data loss and far less likely that hackers will be identified or caught.
We saw exactly the same scenario in the 2014 Sony hack, throughout which the hacking group known as “Guardians of Peace” syphoned all manner of data from the Sony Pictures servers over a 9-month period, including personal data of staff members and unreleased media.
Bad crisis management
Aside from the potential risk to their data, what many Equifax subscribers will be most frustrated with is the way in which the company dealt with the breach, both before the news broke and in the days that followed.
Investigations into the reasons for the breach conducted in the aftermath have revealed that the most basic of security measures were not taken, and ultimately left Equifax open to hacking attempts.
News reports and post-hack analysis suggests that a critical Apache Struts patch was not applied by Equifax on its release in March. For what reason this action was not taken is unclear but what followed was approximately four months throughout which the credit reporting agency was left open and vulnerable to attack.
After two months, in May, hackers discovered the Equifax vulnerability and began pilfering all manner of data. Again, what is most distressing about this particular data breach is A) the sheer size of the organisation’s databased – Equifax hold the data of over 140 million Americans, and over 40 million Brits, and B) the nature of the data – all the tools needed to ‘steal’ a persons’ identity.
Patched but not disclosed
Equifax finally discovered and patched the leak in late July, by which time millions of records had already been lost.
In an act which tells us all we need to know about a company whose raison d’etre is to apply knowledge to sensitive data, Equifax failed to inform their public of the breach, instead selling-off millions of dollars-worth of stock. It is in this that we get a view of just how damaging this kind of event can be to both businesses and customers alike.
Once the news went public - over a month after the hack was discovered and patched - the official line was that, although data had been breached, no credit reports had been scooped.
No matter - of all the data held by Equifax, the credit reports themselves are likely the least valuable to an unscrupulous hacker.
We also saw some blame-games being played, with the Apache Foundation denying claims that this was a zero-day attack and Equifax could have taken no measures to protect their customers.
What does the Equifax Hack say about the state of corporate cybersecurity?
Well, it is broken record time…
What the Equifax hack most certainly tells us is that if this kind of event can happen to them, it can happen to any business, of any size and within any industry. That means you!
Of course, we know very little about the internal structure of Equifax, their IT security team and the measures that they take to prevent these occurrences, but we must assume that, given the nature of their business, their approach to data protection is extremely sophisticated and subject to constant scrutiny.
From what we have read in the wake of the attack, and the information provided by Apache, it is very difficult not to view the hack as the result of simple negligence. If a patch was issued but not applied, the consequences have surely been felt.
However, even large organisations may not assign the correct level of resource to cybersecurity and it is more than possible that this event was due to under-resourcing or indeed the growing workload of cybersecurity teams or departments leading to the vulnerability or subsequent breach being overlooked.
We must not make Equifax a pariah
What is most clear from the media coverage of the Equifax hack, as we see in nearly all contemporary media, is that the levels of blame and outrage are high.
Yes, it is certainly true that this particular security breach could affect millions of individuals and, yes, it is also true that Equifax, more than most, has a responsibility to keep their user data as safe as possible. Officials will have to explain and, quite possibly, some heads will roll, but some perspective is required before we embark on a witch-hunt.
Let us suppose we hire ourselves a car tomorrow. The hire company will require as much of our personal and private information as would be stored by a company such as Equifax.
The point being that Equifax is not unique in the data that they store and so our collective concern shouldn’t be aimed at this singular incident but on how companies of all kinds store and protect our sensitive data.
As we have stated many times before, the biggest threat to our online safety is ourselves.
The uncomfortable truth being that we (myself included) aren’t always great at adhering to best practices for security online, putting the onus (reluctantly) on businesses to keep data safe.
We are sure that by now you have heard of GDPR (General Data Protection Legislation) and what is means for big data.
Essentially, what it is saying is that the collective public will always fall short of fully protecting themselves, so it will soon be the responsibility of businesses to pick-up the slack.
What this also means, once the legislation comes in next May, is that corporate responses to data breaches along the lines of “we will learn from this”, will no longer be tolerated and business network security measures must be a priority – the fact is we are past the point of no return with regards to data storage.
Whether we like it or not, businesses need to store our information - how they protect it is a growing but not unsolvable.
For advice on designing or upgrading your WiFi network and associated systems, to the deployment of security solutions like Next Generation Firewalls and Endpoint Network Security, please contact Ensign Communications for a chat with our technical team.