Last week Equifax announced one of the largest and impactful data breaches to date. Sure, we have had larger data troves of information hacked – Yahoo with 1 billion accounts, Target with over 70 million cards/persons impacted, and the Office of Management & Budget (OMB) with 21 million persons' information (and SSNs) impacted. OMB is disastrous for those of us who have served in intelligence functions or other sensitive posts.
Why is the Equifax breach so bad? Namely because Credit Reporting Agencies have all of our financial data, financial transaction & experience information, and payment history all in one location. We pay so much attention to the loss of replaceable credit card information that we forget that the hack of SSNs is devastating as these numbers are really immutable and unchangeable (yes, technically a SSN can be changed, but the original is always there). So, in terms of risk, a successful hack of one of the three main credit reporting bureaus is about as bad as it gets.
In its announcement, Equifax stated that it learned of unauthorized access to its systems between mid-May and July 2017, but that intruders did not have access to its core credit reporting databases. It was noteworthy that the CEO appeared in a taped video statement to announce the breach and this is important from an accountability perspective. It was less heartening that the credit monitoring sign-up process appears to be convoluted. You can check to see if you are affected, but the system does not give you a reply other than to check back in 4 days. The website asks for your last six of your SSN, and the PIN codes issued are based on time & date of access. This is a miss from both an operational and reputational perspective where consumers should be able to access the free credit monitoring being offered at the point in time the notice is provided.
It is interesting to note that another credit monitoring agency, Experian, was also breached in 2015; not for payment information, but for key data on consumers that might make its way into credit reports. Once more information on what was exfiltrated from Equifax is known we will be able to discern a more accurate motive, but the hackers could be interested in key personally identifiable information (PII) they can sell, additional authentication information useful in “identity verification” controls, or just normal payment information.
The breach appears to be related to a website application vulnerability which could be anything. But, this all comes back to sound security development coding practices, active application scanning and testing, and integrating security into the engineering and development processes to make web applications more resilient. Really – it is 'back to the basics' of mitigating the OWASP Top 10 and SANS Top 20 vulnerabilities in your web application security program and make security the job of every engineer backed by a robust security and infrastructure team.
About Dr. Chris Pierson
Dr. Chris Pierson is the EVP, Chief Security Officer & General Counsel for Viewpost - a FinTech payments company. He is a globally recognized cybersecurity expert and entrepreneur who holds several cybersecurity, anti-fraud, and technology patents.