On a scale of 1 to ten this is an 11.
The breach of 143million personal credit records from US credit reporting company Equifax is not the biggest breach ever – but in terms of sensitivity of personal data it’s right up there as possibly the worst cyber security data breach in history.
Hackers exploited a vulnerability in the credit scoring company’s web-facing application between May and July this year. They scored names, social security numbers, addresses – even credit card numbers and driver’s license numbers. It affects almost half the US population as well as Canadian and UK customers. This data will live on the dark web for years and millions are likely to be affected in some way. The proverbial book will get thrown at this company. Who’d trust them now to protect sensitive data (after all that’s what they do for a living)? We all need to learn from it.
What Companies can learn from this:
1. Get serious about protecting your web-facing systems – penetration test everything that faces the web. Run constant vulnerability scans and react fast to what they find. Patch, patch, patch immediately.
2. Build fast-acting forensic capability into your protective posture and ensure you have a capability to react to cyber incidents the moment they occur – contract specialist Security Operations Centres who are experienced in running SIEM and network analysis applications like Darktrace. Having this capability is now the new starting point, not the end game.
3. Audit admin passwords today – administrative accounts need to be properly protected. Secure all your administrative accounts with strong, complex, unique passwords and two-factor authentication as the minimum standard. Better still, ditch passwords for hard-token access on admin accounts.
4. Get on the customer protection-end of this type of incident early. Equifax took five weeks to disclose the data breach. That’s too long for their customers to react by changing credit card details and taking steps to protect other disclosed information. Their customers will be advised to frequently monitor account statements and credit reports, and report any suspicious activity to your financial institution. Equifax most likely will have to foot the bill for this activity across millions of customers.
Fundamentally the leadership of all organisations need to ask one simple question – when we get attacked how are we going to respond and how are we going to get on top of it fast?
It’s all about speed to detection and speed to eradicate. Stop the criminals before they get too far and shut them out of your systems. If you rely on just a ‘locked front door’ or blocking at the point of entry, then like Equifax you’ll find the attack surface of your organisation is just too big and too complex to maintain 100% protection over – unless you just disconnect your entire business from the internet that is – and who can do that these days.
The criminals were in Equifax systems for more than two months and by the looks of things could traverse the network and gain admin control which enabled them to steal the most sensitive data imaginable. Clearly, the company’s protective efforts were focused in the wrong place.