Equifax, one of the “big three” credit bureaus in the US, is in hot water at the moment after suffering a data breach which has exposed personal data for 143 million people. Social security numbers, birth dates, addresses and even some driver’s license numbers are believed to have been compromised, making this one of the largest data breaches to date. While most of the data exposed to “unauthorised access” belonged to US citizens, Equifax stated that that “limited personal information for certain UK and Canadian residents” had also been compromised.
For various reasons, this incident is being referred to as the worst corporate data breach so far, not least because of the company’s abysmal handling of the aftermath. On the very first day after the breach was made public, Equifax set up a website to allow customers to check if they had been affected by the breach. Instead of using their primary domain, equifax.com, they instead opted to direct potential victims to a new one, equifaxsecurity2017.com. Equifax asked users to trust the site and required them to enter the last 6 digits of their social security number in order to check their records against the breach, despite observers almost immediately identifying serious bugs with the website. The company allegedly knew about the breach as far back as July, and took them roughly six weeks to disclose it – time, some would argue, that they could have used to construe a much better response.
“There should have been a very comprehensive set of policies and procedures for what to do to respond,” according to Jonathan Bernstein, the president of Bernstein Crisis Management, a company specialising in helping other businesses respond to incidents such as data breaches. “It’s going to be more difficult to convince people that they can now safeguard data, because Equifax has undermined their credibility from the way they’ve responded. They made the situation worse.”
Due to the company’s ill-fated decision to use a separate domain, it wasn’t long before a phishing domain was set up to trick users – securityequifax2017.com (instead of the legitimate equifaxsecurity2017.com). More embarrassingly still, the company’s official Twitter mistakenly tweeted links to this domain no less than four times. Luckily for Equifax, this domain had actually been set up by security developers Nick Sweeting as a proof-of-concept, who wanted to show how easily a cyber criminal could have taken advantage of the situation. According to Sweeting, the page had more than 200,000 visits.
There are even more indicators that Equifax had an appalling security culture, as the data breach occurred through manipulation of a known vulnerability which Equifax had attempted to patch. Similar to the aftermath of the WannaCry ransomware incident, we are seeing time and time again that even when a clear threat is presented with an obvious solution, companies can be slow to act and ultimately not provide an adequate security solution.
“There’s no question a company like Equifax would be targeted all the time (by hackers) and that’s hard, but all of this really speaks to poor security practices and a lackadaisical response,” says Jason Glassberg, co-founder of Casaba Security. “My hope is that this really becomes a watershed moment and opens up everyone’s eyes, because it’s astonishing how ridiculous almost everything Equifax did was.”
In the aftermath of this data breach, but (crucially) before the breach was disclosed to the public, three high-ranking Equifax executives sold $1.8 million worth of company shares. Equifax claims that the executives had not been aware of the breach at the time. This has caused massive problems for Equifax. In an unusual reaction, the board decided that it was time for the CEO, Richard F. Smith, to step down. Smith had been chief executive of Equifax since 2005, and technically, has resigned. However, due to the severity of the incident and the fact that he had presided over such gross negligence, the board has said that they could retroactively classify Smith as having been fired for cause. This means that Smith would forgo and possibly even repay compensation such as his $20.8 million in stock awards and $3 million yearly bonus.
Equifax then had to look to a replacement for Smith, but had an unusually difficult situation in that most of the usual internal candidates had been ‘tainted’ by the circumstances of the cyber attack. Among the executives who sold stock before announcing the breach was the head of its largest division and its chief financial officer, and are currently under scrutiny. In the interim, Equifax have appointed the company’s head of its Asia-Pacific region, Paulino do Rego Barros, as acting CEO. The company is currently searching for a new chief executive, and many believe they will be forced to look externally. The chief information officer and chief security officer have also stepped down in the wake of the data breach.
It is unclear whether the manipulation of the vulnerability was on the back of an Equifax employee clicking a phishing email but certainly it is likely given over 90% of data breaches start with a phishing attack. One thing is for certain, unless businesses start getting serious with managing their security and patching measures more effectively and start training all staff on being security aware, it’s only a matter of a time before they are breached – if they aren’t already breached and just don’t know it. With the introduction of the GDPR next year, the data breaches we have seen so far will just be a drop in the ocean compared to data breaches to come now that failure to report a data breach can result in a multi million euro fine. A world wide cyber war is upon us right now. It’s time to start getting prepared and take the security of your customers data seriously.