How Bad was the Equifax Data Breach?

New Information Shows the Breach Worse than First Reported

How worried should you be about last year’s Equifax data breach?


That’s the warning for the more than 145 million Americans — nearly half the nation’s total consumers — whose personal data was compromised in what ranks among the largest and most significant cyber scourges in history.

In first responding to the highly publicized September 2017 breach, Equifax reported that the hacked information included (only) the following:

  • Names

  • Social Security numbers

  • Dates of birth

  • Addresses

  • Driver’s license numbers

Now, according to The Wall Street Journal and other outlets, Equifax disclosed in a sealed document submitted to the Senate Banking Committee that the following data also was accessed:

  • Credit card numbers

  • Tax ID numbers

  • Email addresses

  • Driver’s license issue dates

  • Driver’s license states


A Series of Investigations by Federal and State Officials

What’s extremely disturbing about the latest revelations is this: It took a series of investigations by federal and state officials – led by Congress – to bring the hack’s full impact to the light of day.

Three things to consider:

  • The Equifax hack was far more invasive than previously reported

  • Companies like Equifax keep records of far more personal information than most consumers realize

  • If you’re among Equifax’s 145.5 million scammed consumers, cyber criminals now have far more access to your finances

A nearly $900 million company based in Atlanta and one of the national credit bureaus, Equifax is now scrambling on several fronts. Not only because its initial report glossed over the full extent of those adversely affected, but because of its slow response to users and lawmakers.

First, the company failed to adequately inform its users -- many of whom had no idea the company was keeping such personalized data on them in the first place -- that they were, indeed, very vulnerable.

Then, in the hack’s immediate aftermath, the company’s CEO, Richard Smith, resigned under pressure. A few months later, he was rebuked by Senate committee members for evasive non-responses to their questions.

Plus, in a side development fraught with political intrigue, the Consumer Financial Protection Bureau (CFPB), the federal agency created by the Dodd-Frank Act as a banking and credit watchdog, immediately halted its inquiry into the Equifax data breach following the change in leadership.

Maybe they hoped it would go away.

Heading the Office of Management and Budget

Equifax now offers its clients free credit “freezes” through June 30. Freezing your credit helps prevent new accounts from being opened in “your” name. But remember, if you actually do need a home loan, new credit card, or want to open a bank account, that temporary freeze will need to be lifted.

Not quite enough to erase the psychic and fiscal pain of millions of consumers like you and probably everybody you know.

Negligence by Equifax? Certainly.

Negligence on the part of the federal agency that’s supposed to protect millions of U.S. consumers from the dizzyingly inadequate cyber security of companies like Equifax?

Most definitely.

If you would like to get started on a comprehensive cybersecurity plan to protect against hacks like the Equifax breach, ICE can be of value to your organization.

Contact us today and let our cybersecurity experts elevate your company’s security measures and put your risk on ICE.



Cybersecurity Landscape for 2018

NotPetya. WannaCry. Spora. Sound all too familiar?

This year’s onslaught of global cybercrimes rightly struck fear into anyone who uses a laptop, a hand-held device or owns a business. With each attack, the anxiety factor grows into a sense of vulnerability, dread, even helplessness.

Looking ahead to 2018, what’s your best defense? How can you protect your family, your company, your employees and business reputation from the potentially dire effects of identity theft and the scourge of ransomware?

Meet industry experts to hear their 2018 cyber forecast at our “Cybersecurity Landscape for 2018,” a 45-minute thought leadership panel discussion set for Thursday, November 16. The event will run from 6:00 pm to 8 pm, at ICE Cybersecurity, located in the NEST building in Bankers Hill.

 Moderated by ICE Founder/CEO Ford Winslow, the event will introduce you to key industry players who will share their assessment of the next level of cybersecurity threat.

Scheduled panelists include:

  • Ted Harrington, Independent Security Evaluators

  • Paul Groom, National Strategic Account Manager, SonicWALL, Inc.

  • Paul Leet, Solutions Architect, SonicWALL, Inc.

  • Roy Bettle, Vice President, Sales & Strategy, ICE Cybersecurity

Light food and drinks will be available at the complimentary event, sponsored by Seceon and SonicWALL.

Who Should Attend: C-level officers interested in assessing cyber threats for 2018.

Can't make it? Contact Roy Bettle, VP Client Solutions at 442-273-0910 to share our post-event write-up.

3 Ways Ransomware Affects Healthcare Cybersecurity

Ransomware encrypts files and effectively locks users out of their computers and data. Those behind this type of cybersecurity attack then ask for money - ransom - in exchange for your data. It is estimated that 7.4 million new malware programs will be released in 2017. That’s about 850 per hour.

Most ransomware is delivered in an email. In healthcare systems, ransomware can make its way in through common programs like electronic health record and billing systems. Most ransom is paid in bitcoin, making it difficult to track criminals once the ransom has been paid.


   1. Ransomware Halts Patient Care


Hospitals across England and Scotland were forced to cancel routine procedures and divert emergency cases after a May 12, 2017 Ransomware attack that affected 99 countries. X-rays were halted. Chemotherapy treatments were put on pause. Records necessary to perform surgery were inaccessible. Critical test results were inaccessible. Affected healthcare workers stated that they were not aware of the issues with dated hardware, software and cybersecurity measures until the attack had already compromised patient care.


    2. Ransomware Compromises Patient Records

Records for over 200,000 patients were leaked in a ransomware attack on Atlanta-based Emory Healthcare on Jan. 3, 2017.  Files included names, addresses, emails, birth dates, medical record numbers and cellphone numbers. Medical record breaches have also caused leaked mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports. Weather or not the records were used by criminals, the Emory Healthcare’s patients suffered breach notifications, loss of trust and ultimately more barriers to healthcare.

    3. Cybersecurity Attacks Cause Financial Loss

Remember those leaked patient records? A recent study conducted by the Ponemon Institute for IBM estimated that breaches cost U.S. companies on average over $7 million per breach. That’s an average of $215 per breached record. Additionally, companies like Merck had their supply chains for distribution of medical products disrupted by ransomware in June 2017.

Prevent Ransomware Attacks with Cybersecurity Assessments

It is the current recommendation of the FBI that public and private health entities have their networks checked for vulnerabilities by a professional and then work with internal or 3rd party teams to resolve issues and maintain a secure posture.

6 Cybersecurity Action Steps for Corporate Directors

Equifax Cybersecurity Incident Response Under Investigation

Equifax, one of the major credit reporting agencies in the U.S., reported a data breach Sept. 7 that affected 143 million consumers. The hack is one of the largest ever recorded and may have released personal details of an estimated 44% of the U.S. population.

According to The Apache Foundation, makers of an open-source software used by Equifax to create Java web applications, cybersecurity professionals offered Equifax security updates that would have resolved the vulnerability two months prior to the hack.

The U.S. Federal Trade Commission, the congressional House Oversight Committee, the Consumer Financial Protection Bureau, multiple state-level attorney generals and departments of financial services have all begun an investigation of the breach and Equifax’s cybersecurity incident response.

Board of Directors at Risk Over Cybersecurity

This week Equifax announced that their Chairman, Richard Smith, has stepped down as CEO following the cybersecurity breach. The week before, Equifax’s chief security officer and chief information officer stepped down as well. Despite the distance that exists between the senior executives of large organizations and their IT professionals, executives are largely held accountable for oversights, especially when they have a negative impact on consumers.

Corporate directors need to pay attention to the wide range of cybersecurity risks uncovered by this attack, and should implement measures to address any vulnerabilities their companies face. In times like this, any board will come under extreme scrutiny. They will be asked how they handled several executive issues, including board management, data privacy oversight, and executive compensation policies.

In particular, all boards should be concerned about cybersecurity policies and examine their capacity to defend against today’s rapidly expanding data theft. Henry Stoever, Chief Marketing Officer at National Association of Corporate Directors (NACD), says, “There are two kinds of companies: those that know they’ve been hacked, and those that don’t know they’ve been hacked.” Accordingly, Stoever states that there are six action steps for corporate directors to take to improve cyber security measures:

Are you at risk? Get started with a robust cybersecurity plan.

Six Cybersecurity Action Steps for Boards

  1. Approach cyber security as an enterprise-wide risk management issue, not an IT issue

  2. Understand the legal implications of cyber risk as they relate to their company’s specific circumstances

  3. Ensure boards have adequate access to cybersecurity expertise

  4. Facilitate discussions about cyber risk management on a regular basis and allow adequate time on board meeting agendas for robust discussions with the management team and external cyber experts

  5. Require the management team to establish an enterprise-wide cyber risk management framework with adequate staffing and budget

  6. Strategize discussions with management to include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach

Cybersecurity Incident Response and Accountability

In a statement released to the public, Equifax CEO Richard F. Smith stated “This is the most humbling moment in our 118-year history.”

Equifax has the opportunity now to refine their accountability practices. Public opinion and stock value for Equifax have suffered as a result of the incident, the late release of information to the public and the subsequent discovery of issues with the company’s phone system and website. Taking steps to ensure regular assessment of their compliance and performance would go a long way in earning back the public’s trust.

The lesson here for every board member is that cybersecurity is an increasingly important enterprise issue that affects all levels of an organization’s operation. It requires comprehensive strategy and risk assessment. Cybersecurity is complex and must evolve quickly to combat cyber threats of increasing severity. These threats can cause significant financial, competitive and reputational damage.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.

How to Avoid Your Own Equifax Cybersecurity Meltdown in 7 Steps

Equifax reported on September 7, 2017 that there is "No evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases". This is a very important statement because the data in those core databases support every personal or commercial loan in the United States. Business in the U.S. grinds to a halt if credit data can't be trusted.

The Equifax hack is a “near-miss by cyber-weapon targeted at our financial system,” according to Ford Winslow, business, cybersecurity and IT expert, of ICE Cybersecurity.

Every interest rate on every personal or corporate loan could be called into question if the data used to underwrite the loan were to be compromised, according to Winslow. The securities market could turn upside-down immediately. Currently the federal reserve issues over $200 Billion in overnight loans every day. Over the period of the breach, that’s about $15 Trillion in loans that could be impacted: $150 Billion in interest payments were paid based on credit ratings.

What Happened

On September 9th, 2017, Equifax, one of the major credit reporting agencies in the U.S., reported a data breach affecting 143 million consumers. The company stated that criminals exploited a web app vulnerability to gain access to confidential files. The hack may have released the personal details of 44% of the U.S. population, and is one of the largest breaches ever recorded. These personal details include names, social security numbers, birthdays, addresses and driver’s license numbers. The hackers obtained 209,000 credit card numbers, and 182,000 documents with personal identifying information on them.

This breach has massive implications. Not only are the consumers in question at an increased risk of identity theft, but the security of countless other websites and organizations could be at risk. The information asked during routine identity verification checks is roughly the same information that was compromised in the hack. Equifax created a website after the breach to help consumers find out if their data has been compromised, The website asks for your information and lets consumers know whether or not their data was affected. It also prompts affected consumers to enroll in Equifax’s data protection service. At present, using the site might also prevent consumers from participating in any class action lawsuits against Equifax.

Cybersecurity is Mandated by GLBA

Two class-action lawsuits have already been filed against Equifax. The Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (GLBA) regulates how financial service institutions use and safeguard user information. While it is unclear whether or not Equifax violated the core tenants of GLBA provisions, some individual states have added provisions to the Act themselves. Oregon legislation requires that institutions notify the consumer “in the most expeditious way possible.” Since the breach was discovered on July 29, and Equifax didn’t notify investors of the breach until September 7, after selling a great deal of their own stock, things are not looking good for Equifax.

This is not the first time that Equifax has been compromised. Earlier this year, W-2 tax data was stolen from TALX, an Equifax subsidiary that provides online payroll and tax services to large U.S. corporations. In 2016, criminals stole W-2 tax and salary data from a different Equifax website. Since the sensitivity of the data compromised has become progressively more severe, and the amount of consumers affected has progressively increased, Equifax is now under a great deal of scrutiny for potentially negligent cybersecurity controls.

Cybersecurity Begins at the Top: Boards of Directors Should Be Worried

“Organizations need to understand the legal implications of cyber risk as they relate to their company’s specific circumstances,” said Henry Stoever, Chief Marketing Officer of the National Association of Corporate Directors (NACD). Companies need to ensure their boards have adequate access to cybersecurity expertise and regular discussions about risk-management are occurring with the frequency NACD recommends.

It is particularly important for companies to have multiple layers of cybersecurity controls. Many companies today house significant amount of personal and financial data, all of which may be at significant risk.

What can companies do to prevent cyber security data breaches?

Security breaches are inevitable. However, there’s prevention, detection and response. Ransomware alone is a $75 Billion industry. So have prevention measures as standard operating procedures is a critical first step. 60% of all attacks are carried out by insiders and 25% of those involve inadvertent incidents.

M-Trends latest report find the average incursion is 205 days before detection. So basic cybersecurity practices such as continuous monitoring could have detected the data breach in hours rather than months.

7-Point Cybersecurity Checklist For Any Organization

1) Integrate cybersecurity into web app development:

In almost every organization, security is not part of application development. Integrating security team members into application development has traditionally been seen as slow, expensive and ineffective. How much is too much to spend on securing data?

2) Continuous cybersecurity scanning for vulnerabilities:

We don't know if this vulnerability was something known that could have been patched or a "Zero-Day" vulnerability. If it turns out that the vulnerability was already known, continuous vulnerability scanning would have discovered the gap and allowed for detection, response and repair.

3) Full-Restore Data Backups: 

Backup all critical information, then make sure it can be restored upon demand. Backups should be stored offsite and offline. Backups should be tested for full restoration of data.

4) Staff Training:

According to Harvard Business Review, 60% of all attacks are carried out by insiders. 75% of those are malicious and 25% are inadvertent such as clicking on a phishing  email. Staff must be trained on best cybersecurity practices continually and during the onboarding of new hires.

5) Incident Response:

Ensure a company-wide, top-down-bottom-up incident response plan and handbook for staff is in place, up to date and tested regularly.

6) Continuous penetration testing:

Penetration tests (Pen tests) mock up attacks and discover where systems can be breached. Most financial organizations do penetration testing annually, or more. With modern tools and automation, penetration testing can, and should, be done continuously and randomly.

7) Data mapping and security architecture:

Many organizations don't have a good grasp on where and how sensitive data can be accessed. In this case, attackers were clearly able to exploit a user account that had significant privileges to view data. A good security architecture plan may have helped Equifax limit the damage by restricting how many records were breached.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.

ChefConf 2017: Technical Artists at Work

In May, we spent three days in Austin, Texas, at ChefConf 2017 learning about DevOps culture, workflow, infrastructure automation, and continuous application delivery.  The event, hosted by Chef, was the best technology conference we’ve attended this year (for reasons both technological and not – see below! ;).

Keynote speakers included executives from Chef, Microsoft, Google, Verisk Analytics, and more. Workshops touched on managing DevOps teams, along with ways numerous Chef tools can help your organization remain compliant, secure your infrastructure, and take advantage of new automation features.

Here are three key things we learned from this year’s event.

Continuous Integration Solutions

We left feeling that, at this point, Chef's offerings have matured facilitation of a full CD pipeline approach to a very viable state. The latest updates to Chef Automate & Habitat have sharpened significantly for an end-to-end Continuous Development/Continuous Automation solution. Case studies from companies that implemented Chef, an exploration of new toolsets and features, and a look at their roadmap for the future provided a lot of insight into the latest DevOps trends.

A few key things we noticed in the breakout sessions:

  • Comprehensive dashboard views inside Chef tools
  • Compliance dashboard for a thorough overview of risks and compliance issues
  • Heavy focus on power and clarity in solutions
  • Habitat now includes a builder service, adding yet another capability for managing the CD pipeline with Chef tools
  • Habitat automatically incorporates all dependencies
  • Updates and point-in-time backups are applied automatically in AWS OpsWorks, a fully- managed Chef Automate service.

Sessions were also awesomely heavy on live demos, providing a richer learning experience than slides alone could offer. For instance, a demo of adding a compliance check for a new vulnerability took less than one minute to add a new test and re-test the infrastructure environment.  

In a session focused on Habitat, speakers stressed the key difference between a “choreography” and an “orchestration” in a tool. While the two terms share similar meanings, the differences in approach create different results upon execution.

Orchestration involves a top-down approach where a person issues a command and awaits a response. This approach is an older development model. Choreography, on the other hand, is a more collaborative process. Think of it as asking a band to play a song. You don't ask each band member what to play. Instead, you ask the musicians and let them self-organize to create beautiful music. This is Habitat!

DevSecOps Trends

We especially liked the focus on security and DevSecOps. A few highlights:

  • Inspec can be run on schedule, which means continuous compliance
  • Inspec declarative language is human readable and auditor compliant
  • Chef is now an official contributor to the “DevSec Project”  ( to provide template cookbooks for hardening and compliance

Culture And Camaraderie

A final key takeaway from ChefConf is the ability to look inside company culture to reveal how it impacts employees. Chef takes cues from Google, both in being a hip company and treating employees like royalty.

To me, Chef’s team is a collective of technical artists. They’re among the best of the best in the ways they plugs into the open source community. By engaging with the greater community, the team is able to foster an environment of innovation and collaboration. Just as collaboration makes for a better experience with Chef’s tools, the company also creates an environment to foster innovation among the greater DevOps community. Chef’s roadmap, current project status board, and Dev team Slack channel are all public. Anyone is welcome to create recommendations and interact with the team to request the features and knowledge you want to have.

The company is totally transparent to the community and works with the community as peers. If we had to guess, we’d say Chef CTO/Co-Founder Adam Jacob had much to do with this community-first methodology.

This culture was reflected in the conference itself. Just like other leading-edge tech companies, there was no shortage of ping-pong tables, skee ball, giant Jenga, and bean bag chairs. In the Habitat lounge, you could enjoy a cold brew while checking out a demo.

Making each and every person at the conference feel welcome and valued was intertwined in the very fabric of ChefConf. The event’s code of conduct expressed diversity and inclusiveness among its core values, in addition to ensuring that no attendees felt discriminated against or harassed.

Commitment to creating a welcoming environment for all didn’t stop with the code of conduct. Dedication to inclusiveness was reflected everywhere from the specially made “inclusive bathrooms” signs to actions in each session.

Before a session began, everyone in the audience was asked to stand and clap to welcome the speaker to the stage. It may have been a small show of goodwill, but this simple action made a huge difference for everyone in the room. Every speaker mentioned how a warm welcome set the stage for a more engaging talk. And it showed. The speaker’s comfort was clearly reflected in the quality of the session.

Warm and friendly vibes carried through to the very end of the conference. Once the final keynote wrapped up, the more than 1,500 audience members stood up to partake in a giant group hug.  

Organizers also spared no expense for the Chef Community Party. They reserved the entire Stubbs venue. For those of you familiar with Austin, you know this was no small feat or budget. Bands and DJs performed on outdoor and indoor stages, and there was plenty of food and drink for all.

The result of the focus on culture? Chef attracts the best talent and encourages unique people, which leads to true innovation. After spending time with the Chef team, we couldn’t help but think, "Ok, THESE are our people." After this year’s informative, inclusive, and downright fun event, we’re counting down the days to next year’s conference.

Ford Winslow Presents at ITAC 2016 - How did Cyber go so Wrong?

Thursday, 12/8/2016, 11:00 AM - 12:00 PM

Session Title: B9: How Did Cybersecurity Go So Horribly Wrong and How Do We Get it Back on Track?
At the IT Auditors Conference in New Orleans, LA, Ford Winslow closed the track with a session on the history of cyber and what we can expect in the coming years.  

The presentation closed with several recommendations for the industry to get back on track:

#1 - Use a Risk-Based Approach

A common-sense approach to implementing security makes security practical and attainable. Overkill leads to complexity and risk, under-funding leads to gaps and risk as well. Justifying your security program based on risk is the only way to sped the right amount at the right time on the right thing. 

#2 - Better Auditing

Not only do auditors need to be better educated on the latest trends, technologists need to be better educated on audit and the needs of auditors. Both sides need to come together to come up with pragmatic audit approaches that yield trust. 

#3 - Make Cyber Cool

Consumer technology gets adopted because it's "cool". If cybersecurity is something you have to do because your parents, your doctor or your teacher says you have to, you will resist. Once being secure is cool, we won't have to try to be secure anymore. It'll just happen. 

#4 - Speed

The #1 resistance to security is speed. Security is "slow". Security is "expensive". These are all things I hear constantly. In fact, the opposite is true. Not taking a secure approach is slow. By not having a framework or requirements, teams don't know what to do. Practical security requirements teams can use from the first day help teams go faster. Brakes on cars help you go faster....