How to Avoid Your Own Equifax Cybersecurity Meltdown in 7 Steps

Equifax reported on September 7, 2017 that there is "No evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases". This is a very important statement because the data in those core databases support every personal or commercial loan in the United States. Business in the U.S. grinds to a halt if credit data can't be trusted.

The Equifax hack is a “near-miss by cyber-weapon targeted at our financial system,” according to Ford Winslow, business, cybersecurity and IT expert, of ICE Cybersecurity.

Every interest rate on every personal or corporate loan could be called into question if the data used to underwrite the loan were to be compromised, according to Winslow. The securities market could turn upside-down immediately. Currently the federal reserve issues over $200 Billion in overnight loans every day. Over the period of the breach, that’s about $15 Trillion in loans that could be impacted: $150 Billion in interest payments were paid based on credit ratings.

What Happened

On September 9th, 2017, Equifax, one of the major credit reporting agencies in the U.S., reported a data breach affecting 143 million consumers. The company stated that criminals exploited a web app vulnerability to gain access to confidential files. The hack may have released the personal details of 44% of the U.S. population, and is one of the largest breaches ever recorded. These personal details include names, social security numbers, birthdays, addresses and driver’s license numbers. The hackers obtained 209,000 credit card numbers, and 182,000 documents with personal identifying information on them.

This breach has massive implications. Not only are the consumers in question at an increased risk of identity theft, but the security of countless other websites and organizations could be at risk. The information asked during routine identity verification checks is roughly the same information that was compromised in the hack. Equifax created a website after the breach to help consumers find out if their data has been compromised, The website asks for your information and lets consumers know whether or not their data was affected. It also prompts affected consumers to enroll in Equifax’s data protection service. At present, using the site might also prevent consumers from participating in any class action lawsuits against Equifax.

Cybersecurity is Mandated by GLBA

Two class-action lawsuits have already been filed against Equifax. The Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (GLBA) regulates how financial service institutions use and safeguard user information. While it is unclear whether or not Equifax violated the core tenants of GLBA provisions, some individual states have added provisions to the Act themselves. Oregon legislation requires that institutions notify the consumer “in the most expeditious way possible.” Since the breach was discovered on July 29, and Equifax didn’t notify investors of the breach until September 7, after selling a great deal of their own stock, things are not looking good for Equifax.

This is not the first time that Equifax has been compromised. Earlier this year, W-2 tax data was stolen from TALX, an Equifax subsidiary that provides online payroll and tax services to large U.S. corporations. In 2016, criminals stole W-2 tax and salary data from a different Equifax website. Since the sensitivity of the data compromised has become progressively more severe, and the amount of consumers affected has progressively increased, Equifax is now under a great deal of scrutiny for potentially negligent cybersecurity controls.

Cybersecurity Begins at the Top: Boards of Directors Should Be Worried

“Organizations need to understand the legal implications of cyber risk as they relate to their company’s specific circumstances,” said Henry Stoever, Chief Marketing Officer of the National Association of Corporate Directors (NACD). Companies need to ensure their boards have adequate access to cybersecurity expertise and regular discussions about risk-management are occurring with the frequency NACD recommends.

It is particularly important for companies to have multiple layers of cybersecurity controls. Many companies today house significant amount of personal and financial data, all of which may be at significant risk.

What can companies do to prevent cyber security data breaches?

Security breaches are inevitable. However, there’s prevention, detection and response. Ransomware alone is a $75 Billion industry. So have prevention measures as standard operating procedures is a critical first step. 60% of all attacks are carried out by insiders and 25% of those involve inadvertent incidents.

M-Trends latest report find the average incursion is 205 days before detection. So basic cybersecurity practices such as continuous monitoring could have detected the data breach in hours rather than months.

7-Point Cybersecurity Checklist For Any Organization

1) Integrate cybersecurity into web app development:

In almost every organization, security is not part of application development. Integrating security team members into application development has traditionally been seen as slow, expensive and ineffective. How much is too much to spend on securing data?

2) Continuous cybersecurity scanning for vulnerabilities:

We don't know if this vulnerability was something known that could have been patched or a "Zero-Day" vulnerability. If it turns out that the vulnerability was already known, continuous vulnerability scanning would have discovered the gap and allowed for detection, response and repair.

3) Full-Restore Data Backups: 

Backup all critical information, then make sure it can be restored upon demand. Backups should be stored offsite and offline. Backups should be tested for full restoration of data.

4) Staff Training:

According to Harvard Business Review, 60% of all attacks are carried out by insiders. 75% of those are malicious and 25% are inadvertent such as clicking on a phishing  email. Staff must be trained on best cybersecurity practices continually and during the onboarding of new hires.

5) Incident Response:

Ensure a company-wide, top-down-bottom-up incident response plan and handbook for staff is in place, up to date and tested regularly.

6) Continuous penetration testing:

Penetration tests (Pen tests) mock up attacks and discover where systems can be breached. Most financial organizations do penetration testing annually, or more. With modern tools and automation, penetration testing can, and should, be done continuously and randomly.

7) Data mapping and security architecture:

Many organizations don't have a good grasp on where and how sensitive data can be accessed. In this case, attackers were clearly able to exploit a user account that had significant privileges to view data. A good security architecture plan may have helped Equifax limit the damage by restricting how many records were breached.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.