Cybersecurity experts outline the wider ripples from Equifax breach

Direct, indirect effects will mount after leak of massive amount of personal information

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The pain has only just begun for Equifax. Last Thurs­day, the giant cred­it bureau dis­closed that hack­ers stole per­son­al infor­ma­tion for 143 mil­lion of its cus­tomers, pre­sum­ably most­ly Amer­i­cans, but also Cana­di­ans and Europeans.

In less than 24 hours, two Ore­go­ni­ans, Mary McHill and Brook Rein­hard, filed a fed­er­al class-action law­suit accus­ing the Geor­gia-based com­pa­ny of fail­ing to main­tain ade­quate elec­tron­ic secu­ri­ty safe­guards as part of a cor­po­rate effort to save money.

Then on Fri­day, Con­sumer Watch­dog called on Cal­i­for­nia state Attor­ney Gen­er­al Xavier Becer­ra to inves­ti­gate. The advo­ca­cy group believes Equifax may have vio­lat­ed California’s bench­mark data loss dis­clo­sure law, which requires time­ly noti­fi­ca­tion of the vic­tims in these types of breach cases.

Relat­ed pod­cast: How net­work ana­lyt­ics can stop intrud­ers before they get too far

John M. Simp­son, Con­sumer Watch­dog Pri­va­cy Project direc­tor, minced no words in lam­bast­ing the com­pa­ny for allow­ing senior exec­u­tives to dump stock before pub­licly announc­ing the breach.

It’s uncon­scionable that three top exec­u­tives sold Equifax stock after the breach was dis­cov­ered, but before the news was made pub­lic,” Simp­son says. “The exec­u­tives who sold their stock based on insid­er infor­ma­tion should for­feit any prof­its and go to jail.”

Con­sumer Watch­dog is ask­ing AG Becer­ra to block Equifax’s attempt to push its vic­tims into arbi­tra­tion and inves­ti­gate why pub­lic noti­fi­ca­tion of the breach was delayed so long.

In this back­drop, Third­Cer­tain­ty con­vened a round­table of cyber­se­cu­ri­ty experts to dis­cuss the wider ram­i­fi­ca­tions of Equifax’s dis­clo­sures. Here are their com­ments, edit­ed for clar­i­ty and length.

Ken­neth Geers, senior research sci­en­tist, Como­do

Ken­neth Geers, Como­do senior research scientist

The sheer size of this breach, which spans at least the Unit­ed States, Cana­da and Great Britain, may have fright­ened some Equifax offi­cials into sell­ing a por­tion of their com­pa­ny shares.

On the tech­ni­cal side, it is crit­i­cal that we learn what appli­ca­tion was exploit­ed, and what vul­ner­a­bil­i­ty was lever­aged, so that oth­er com­pa­nies can take defen­sive action. Equifax was sim­ply not ready for the lev­el of respon­si­bil­i­ty that pos­ses­sion of this quan­ti­ty and qual­i­ty of dig­i­tal infor­ma­tion requires. It is alarm­ing that, despite past cyber­se­cu­ri­ty com­pro­mis­es, Equifax today appar­ent­ly has no chief infor­ma­tion secu­ri­ty offi­cer (CISO) to talk to.”

Venky Gane­san, man­ag­ing direc­tor, Men­lo Ventures

Venky Ganesan_Menlo Ven­tures man­ag­ing director

This isn’t just a few pieces of per­son­al infor­ma­tion that were hacked. A cred­it bureau has all of a consumer’s impor­tant infor­ma­tion. It knows all the places peo­ple have lived, all the cred­it cards they have, the size of their mort­gage, all their lia­bil­i­ties and all the pay­ments they have missed. This is the equiv­a­lent to pen­e­trat­ing the Fed­er­al Reserve, not mere­ly rob­bing an indi­vid­ual bank.

Equifax com­plete­ly botched its response to the breach. They did not noti­fy peo­ple prompt­ly and have not told the pub­lic the full extent of the breach. Their response web­site is also a joke. The response may actu­al­ly be worse than the breach.”

Pravin Kothari, chief exec­u­tive offi­cer, Cipher­Cloud

Pravin Kothari, Cipher­Cloud chief exec­u­tive officer

The Equifax breach not only affects near­ly half of the U.S. pop­u­la­tion, it also includes per­son­al data of res­i­dents in the UK. If this breach had occurred after May 2018 when the EU’s new Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) goes into effect, Equifax could have had to pay penal­ties of up to $120 mil­lion (4 per­cent of glob­al revenues.)

The EU adopt­ed GDPR in April 2016 and gave orga­ni­za­tions a two-year peri­od to pre­pare, how­ev­er, many com­pa­nies have yet to begin their com­pli­ance efforts. We expect GDPR to serve as a mod­el for sim­i­lar reg­u­la­tions in the U.S. and around the world, help­ing to pro­tect indi­vid­ual pri­va­cy and thus min­i­mize the eco­nom­ic threat from future data breaches.”

Derek Manky, glob­al secu­ri­ty strate­gist, Fortinet

Derek Manky, Fortinet glob­al secu­ri­ty strategist

Secu­ri­ty breach­es are a real­i­ty every orga­ni­za­tion faces, whether tar­get­ed or not. An impor­tant strat­e­gy to con­sid­er in addi­tion to proac­tive lines of defense, strong cyber hygiene, and action­able threat intel­li­gence is using seg­men­ta­tion to reduce crit­i­cal impact of a threat. Once a threat gains entry, it can spread and even­tu­al­ly extract the valu­able assets it was sent to retrieve. Or worse, it can encrypt and hold for a high-val­ue ran­som. Seg­men­ta­tion is extreme­ly valu­able to lim­it spread and reduce impact.”

Antho­ny Di Bel­lo, senior prod­uct direc­tor, Guid­ance Software

Antho­ny Di Bel­lo, Guid­ance Soft­ware senior prod­uct director

Equifax’s breach is yet anoth­er data point, albeit a mas­sive one, in the new real­i­ty of orga­ni­za­tions being con­tin­u­ous­ly com­pro­mised. We’ve done research that shows one in four busi­ness­es suf­fered direct finan­cial loss­es due to a cyber attack in the past year, and the num­ber of orga­ni­za­tions report­ing sig­nif­i­cant finan­cial loss­es tripled.

We’re in a new real­i­ty where it’s not just ‘will my com­pa­ny get breached?’ but a ques­tion of when. Fight­ing back requires a well-planned end­point detec­tion and response strat­e­gy that can mit­i­gate the oth­er­wise crip­pling reper­cus­sions busi­ness­es are increas­ing­ly see­ing from these cyber attacks.”

Bob Ack­er­man, man­ag­ing direc­tor, Allegis Cap­i­tal

Bob Ack­er­man, Allegis Cap­i­tal man­ag­ing director

The direct and indi­rect costs of this breach, includ­ing the class-action law­suit, could eas­i­ly sur­pass $500 mil­lion. It is almost inevitable for a large aggre­ga­tor of high­ly sen­si­tive data to be breached at some point. It is a big, juicy tar­get. There is a strong argu­ment for decen­tral­iza­tion of data col­lec­tions. No sin­gle fail­ure should result in a cat­a­stroph­ic loss.

The data should have been encrypt­ed. No excuses—period. This is an exam­ple of the type of dataset that will ben­e­fit from homo­mor­phic encryp­tion (encryp­tion for data in use) as it becomes available.”

Matthew Gar­diner, senior prod­uct mar­ket­ing man­ag­er, Mime­cast

Matthew Gar­diner, Mime­cast senior prod­uct mar­ket­ing manager

While the col­lec­tion and aggre­ga­tion of con­sumer infor­ma­tion to feed the gen­er­a­tion of cred­it scores is tremen­dous­ly impor­tant to the con­sumer cred­it mar­ket, the down­side of the mass cen­tral­iza­tion of this sen­si­tive data is risk of loss on a mass scale. This is an exam­ple of how a sin­gle breach can lead to the release of data on near­ly half the U.S. population.

This data in the hands of mali­cious actors can be used in many ways to steal mon­ey or data from indi­vid­u­als and busi­ness­es and, of course, can be sold on the black mar­ket to oth­er spe­cial­ized cyber crim­i­nals. It is impor­tant that con­sumers and busi­ness­es take this breach seri­ous­ly and dou­ble down on their secu­ri­ty controls.”

Josh May­field, plat­form spe­cial­ist, Fire­Mon

Josh May­field, Fire­Mon plat­form specialist

See­ing what hap­pened to Equifax should awak­en us to the real­iza­tion that we must do some­thing dif­fer­ent. These things hap­pen because we con­tin­ue to fol­low an out­dat­ed play­book with direc­tives that haven’t evolved to address the changes in the world.

Threat hunt­ing is a dis­ci­pline that uncov­ers the chang­ing Tac­tics, Tech­niques and Pro­ce­dures (TTPs) of sophis­ti­cat­ed adver­saries. We should demys­ti­fy the notion that threat hunt­ing is the pre­serve of super-elite orga­ni­za­tions or indi­vid­u­als. Threat hunt­ing involves open-end­ed, recur­sive, com­bi­na­to­r­i­al search across all datasets to reveal what is cur­rent­ly hid­den. Any­one can hunt, it only requires fol­low­ing the meth­ods and prin­ci­ples for threat hunting.”

John Gunn, chief mar­ket­ing offi­cer, VASCO Data Security

John Gunn, VASCO Data Secu­ri­ty chief mar­ket­ing officer

The mag­ni­tude of this breach is unprece­dent­ed, and, unlike a breach that involves cred­it card data, these mil­lions of vic­tims will be at increased risk of fraud for the rest of their lives. You can­not get a replace­ment Social Secu­ri­ty num­ber because your ser­vice provider had inad­e­quate secu­ri­ty measures.”

Andrew Avaness­ian, Chief Oper­a­tions Offi­cer, Avecto

Basic secu­ri­ty hygiene could have been enough to pre­vent a breach of this scale from hap­pen­ing. Secu­ri­ty is nev­er a one-time invest­ment, it is a jour­ney not a des­ti­na­tion — and i

Andrew Avaness­ian, Chief Oper­a­tions Offi­cer, Avecto

t requires con­stant thought, atten­tion and action.

It’s cru­cial that those affect­ed stay vig­i­lant as the details exposed in this inci­dent are enough for a hack­er to com­mit fraud­u­lent acts and even steal per­son­al iden­ti­ties. I’d rec­om­mend watch­ing out for emails ask­ing to con­firm per­son­al details, or request­ing user­name and pass­word infor­ma­tion. If you’re ever unsure, it’s always best to con­tact a com­pa­ny direct­ly by phone, to check it’s an authen­tic communication.”

More sto­ries relat­ed to pre­vent­ing cyber breaches:
Holes in the armor: How secure is your cybersecurity?
Bet­ter cyber­se­cu­ri­ty audits would mean bet­ter net­work protection
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge




Posted in Featured Story