September 11, 2017
(by Todd Feinman, CEO and Founder Spirion)
Equifax allowed 143 million Social Security Numbers (SSN), Names, Date of Birth (DOB), and other personally identifiable information (PII) to be stolen. This affects most of us personally because we all have financial accounts (e.g., credit card, bank account, mortgage, car lease) and it’s highly likely Equifax was the recipient of your SSN from a bank who ran a credit report on you to open that credit card account. So even if you never gave Equifax your SSN to obtain your credit score or purchase credit monitoring, you still are a victim of their recent negligence (mistakes below) and are now at higher risk of identity fraud for the rest of your life.
The sensitive data was stolen by hackers exploiting an application vulnerability that gave them access to Equifax files for over 2 months (unfortunately it was undetected during that time). First, those applications and their systems should have been patched and rigorously tested. Second, any system that allows restricted classified data to flow through it or be stored on it must have high security requirements and should be constantly monitored. Third, the data itself wasn’t properly secured because SSNs should never be able to be obtained unencrypted given their sensitive nature. Once your SSN is leaked, you are at higher risk forever because SSNs do not expire and while free credit monitoring for a year might make you feel good, it doesn’t protect against all fraud and forces you to renew every year. Equifax and certainly all Enterprises have a responsibility to protect our data. Other breaches contain your name and DOB too, so they can be used to correlate your info and learn new things (imagine someone with the Yahoo data breach dump, which contained name, DOB, phone, address, email address, etc.) to scam you or steal your money. Equifax had not discovered the breach for over 2 months and then once they did they held back announcing it for another 6 weeks. That’s 6 weeks of possible identity fraud activity that could have been avoided if Equifax announced the breach notification sooner!
Businesses are not the real victims even though they are attacked by criminals. In reality they have an obligation to use profits to protect the classified systems that are used to lower their costs. They simply don’t spend enough money on knowing their data – classifying data so they know how to prioritize security spend. Some are and we don’t hear about them when they get breached because their sensitive assets are well protected and it’s not news unless something sexy was stolen. But many are not (check out the Ponemon Report: The Importance of DLP in Cybersecurity Defense on data classification) and they think “it’s probably not going to happen to me.”
What can we all do as victims? First and foremost, we and the rest of the public should NOT develop a callus and be comfortable that this is an inevitable outcome. Business must evolve with the criminals like they have in the past. In the late 1800s banks didn’t just keep letting outlaws bust open their vaults to steal their cash. They redesigned them to be resistant to cracking and hired security to watch the bank 24×7. Today we cannot tolerate retailers or banks letting hackers bust open their systems to steal our personally identifiable information (PII). It’s not their cash anymore, it’s our PII. Second, freeze your credit, file taxes early (to avoid fraudulent refund claims), and if you find a good deal monitor your credit. Forever.
What can we all do as security professionals? Honestly, aren’t you tired of enterprises being hacked and our classified data being leaked? Tired of freezing and monitoring your credit, tired of disputing charges and changing your credit card number on autopay, tired of being rejected for an application because of a past fraudulent incident. Breaches are inevitable but data leaks are avoidable. Start by knowing where all your corporate sensitive data is located so you can focus resources on successfully protecting critical systems. Automated data classification will take 90% of the labor out of this problem and let organizations focus on new processes only enabled by having data already classified (e.g., blocking cloud syncing of any file containing an SSN). This is a major problem and any custodian of sensitive data has a fiduciary responsibility to do their part by knowing their data better and protecting it.
There’s no doubt that Equifax is in big trouble. We should learn from Equifax’s mistakes and focus on data classification to know what to protect, where it is, who can access it, when it was from, and why they even still need it
Todd Feinman, CEO and Founder Spirion