In September of 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States, announced a data breach that exposed the personal information of 147 million people. The data breached included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The credit card numbers of approximately 209,000 consumers were also breached.
In January of this year, Equifax settled the 2017 data breach and agreed to pay $1.38 billion, which includes $1 billion in security upgrades. Since then, the U.S. government has indicted four members of China's military on charges of hacking Equifax to exploit the personal data of 150 million Americans. They allegedly conspired to hack into Equifax's computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of nearly half of all American citizens.
Three years later, what are some of the lessons learned about this data breach?
"Most people think that cybersecurity standards are over complex and demanding. However, the truth is they need to be as comprehensive as they are in terms of the range of security controls needed in order to get anywhere near a state of what could be called secure IT operations," notes Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software. "Automation is the only way to deal with the scale of today’s Enterprise IT infrastructure but too many organizations are still short of where they need to be in terms of the foundational controls such as vulnerability management, configuration hardening and change control."
According to Kedgley, the autopsy reports of the Equifax breach list a number of fatal failures – corners were cut on key security controls which were then compounded by human error and gaps in critical processes to address vulnerabilities. "A lack of change control and breach detection visibility then left systems compromised for months. Key lesson is that it isn’t enough to just have some security controls and products in place, effective cybersecurity requires a pervasive adoption of security best practices at all levels throughout an organization. Frankly, too many chances were missed to prevent the breach, detect the indicators of compromise and do the right thing when the real picture was understood. However, it can serve as a great example of why cybersecurity really matters."
Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education, says that the core actions that could have prevented the Equifax breach—effective patching and network segmentation—were well known to all before the breach. "So the question is: if we know how to protect ourselves, why don’t we? You’ll hear excuses like we don’t have the budget, we don’t have the time, we don’t have enough personnel. But it all comes down to complacency: we either don’t think it will happen to us, we’re not able to convince others that the risk is real, or it just feels like an insurmountable challenge," adds Pendergast. "Some lessons learned since Equifax include patch, segment your networks, train on appropriate incident reporting (to flag issues as soon as possible). Hopefully, business leaders will have a better recognition of what’s required to secure the organization against cybercrime. Infosec leaders need the support of the business to put protections in place—and incidents like Equifax help make the case for budget, staff, and training to secure the organization."
Charles Ragland, security engineer at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, notes that, "Mature security program results don't always manifest themselves in prominent ways, which unfortunately leads many organizations to place security on the back burner. When treating security as a box-checking exercise, and not a workplace culture, organizations are often surprised when an incident happens."
"Creating realistic risk management frameworks for vulnerability assessment results is one of the top ways to maintain your security posture and reduce your attack surface," adds Ragland. "Evaluating the difference between vulnerable and exploitable systems and making decisions based on business needs and risk tolerance is crucial for organizations to prevent an Equifax-style attack."