Equifax in early September informed the world about what may be one of the largest U.S. data breaches to date. The hack of the consumer credit score company exposed the personal data of an estimated 143 million people. That’s nearly half the country’s 326.4 million population. Some Canadian and U.K. residents were also impacted.
Unauthorized parties were able to access credit card numbers, driver’s license numbers, names, and Social Security numbers due to what Equifax described as “a U.S. website application vulnerability.”
That happened between mid May and July. Equifax says it became aware of the problem on July 29 and “acted immediately to stop that intrusion.”
Since then, Equifax has been working with law enforcement. The company also hired a cyber security firm to investigate the situation. That investigation should be concluded “in the coming weeks,” Equifax said in its Sept. 7 press release.
The company is sending letters to those whose credit card numbers or dispute documents with personal information were accessed. It also has created a website and circulated a call center number through which consumers can access details about the breach.
In light of the news, several cyber security experts contacted me to weigh in. Here are their thoughts on the matter. For more on cyber security developments and trends, check out the Security Special Supplement in this issue.
Mike Schuricht, vice president of product management at Bitglass: "We see breach after breach attributed to poorly patched or ill maintained internal applications, which is ironic considering security professionals continue to predict cloud apps as the bigger security concern. It's becoming more and more clear that moving to the cloud often means increased security, as the ability to adequately protect the application is an existential question for cloud app vendors."
Bill Mann, chief product officer at Centrify: “Equifax’s stock declined five percent the day its breach became public. This is directly in line with a recent Ponemon study that found this to be the historic average on Day One. The long-term impact will likely be greater, as this breach impacts millions of consumers who trust Equifax with their most personal information, and trust is at the core of their business. Based on its severity and the sheer numbers involved, a breach like this will displace consumer trust, and potentially wipe out additional value quickly. Data breaches are a very real business with bottom line concerns. Today’s cybersecurity is not secure, as it’s far too easy for hackers to access corporate networks via exploits including excess privilege, password capturing, etc. In order to avoid financial and reputational ruin, organizations must rethink their approach to security.”
Kenneth Geers, senior research scientist at Comodo: “It is ideal, if ironic, for cybercriminals to compromise the very companies that internet users rely on to safeguard their identities and finances. Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data. Even if you are not a customer, Equifax likely has a lot of data about you, and you should take proactive steps in response to this hack.”
Ilia Kolochenko, CEO and founder of High-Tech Bridge: “This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space…. Now cybercriminals have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach. We should be prepared for a skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage. It's a very colorful, albeit very sad, example of how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond.”
Tim Erlin, vice president of product management and strategy at Tripwire (News - Alert): “Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans. All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.”
Atiq Raza, CEO of Virsec: “Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks – we need to shift to real-time monitoring and security for web applications and all the processes that support them.”
Edited by Erik Linask