Equifax breach - What happened , poor response and what can we learn from it

Equifax  breach  - What happened , poor response and what can we learn from it
Equifax is one of the biggest credit rating agencies in the world and stores data of large number of Americans while rating their credit worthiness. It is recently came into news that a large amount of their data had been compromised and been stolen by hackers. They had become aware of the breach in July but officially declared it a month later. The immediate outcome of the breach has been that both the CISO and the CIO have “retired” from the company.
Hackers stole personal information for as many as 143 million individuals from Equifax’s credit files, leaving them vulnerable to identity theft. The information includes names, birth dates, addresses and Social Security numbers.
Reason for the breach
Technically, the fault lay in an unpatched Apache Struts server application which was exploited by hackers to steal data from the server. This again points to the fact that most breaches do not occur due to Zero Days but inability of organisations to patch existing vulnerabilities. Patching is a difficult job in any organization and most organisations are not able to patch 100% of the their systems due to the multitude of systems , devices and applications. This is complicated by understaffed security team as they are cost centers not revenue earners. They way out is to automate more of the patching effort and ensure clear connect between the security staff at the lowest level and the CISO and CIO to get a true picture of the security situation,
Lack of qualified security professionals in Senior positions
Another issue related to EquiFax which is trending is the CISO qualification or rather lack of it for the position held. The CISO was a music major at graduate level and did not appear to have a technical background or any suitable training or qualification in security field. Most people will argue that it is not essential for a CISO to have a background in security if he/she has a good understanding of business and has the drive to get security implemented. This may be true but the counter argument is how many CFOs you know who are not from a finance background. At least they have majored in finance in their MBAs. As security is an important aspect for all digital business it is essential that CISO are qualified for their job. This may be through educational degrees or adequate demonstrated work experience in the security field. Fundamentally a CISOs job is to protect  the organization and its best if he has risen from the trenches else has solid experience in related fields and has a top notch security team.
Lack of Corporate Governance
The following incidents show a Governance lapse on part of EquiFax from
·     Three senior executives, including the chief financial officer, sold $1.8 million worth of shares days after the breach was discovered.
·     This was the third hacking disclosed by Equifax this year.
·     The company also demanded customers waive their right to sue, but has since backed off
·     They waited for more than a month to alert customers and shareholders about the hack.
·     The site put up to alert customers was unclear and vague prompting most customer to believe it was not real
This itself shows that senior management at EquiFax was not careful for ensuring safety of customer data and wanted an easy exit. More financial and regulatory oversight is needed including strict penalties on company management holding shares and selling them in a crisis.
Fallout of the breach

There has been a major fall out of the breach with following major events
·      Two of the senior executives CISO and CISO have “retired” ( How accountable are for this lapse is yet to be fully investigated )
·     EquiFax shares have dropped by 18 % and may fall further
·     Millions of customers have been exposed to identity theft.
·     Number of customers are planning class action lawsuits against the firm
·     The breach is now being investigated by Law enforcement and may lead to some disciplinary action
Conclusion
Unlike Sarbanes Oxley Act  there is no legislation making corporate executives directly responsible for breach of customer data. With such large breaches and huge fallout such legislations are not far away.
On the technical side there is a need for organizations to have a proper patch management strategy with speedy patching effort. Despite the patch being available two months before the hack EquiFax was not able to patch their servers in time
There is need for organizations to have a clear and unambiguous action plan to deal with breaches. A “assumed breach” strategy needs to be in place where proper incident response plans  with internal and external teams, a proper communications plan with media, customers and law enforcement and finally strict governance mechanism to prevent and ban insider trading ( stock sale ) to ensure customer confidence is maintained.  

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more