Calm like a bomb
There are so many things wrong with the Equifax breach. So. Many. Things. And the information security community will surely be talking about them for a very, very long time. First we’ve got the fact that an estimated 143 million consumer records were breached—that’s almost half of the U.S. Second, it appears that the company’s database was exploited through a known vulnerability (Apache struts), which by anyone’s estimation should have been a high priority remediation. Then there’s the lackluster notification to the public in which the CEO put his own “disappointment” before concern for his customers. Then there was the ridiculous www.equifaxsecurity2017.com site where people could check the integrity of their record(s) (consequently, a few people typed in obviously phony information and were informed, “You were likely impacted by this incident”). Which leads to Equifax offering free credit monitoring for a year…with two major twists: 1. Anyone enrolled would be auto-renewed for a fee after a year of service, and 2. Initially, Equifax included a disclaimer that anyone who enrolled would exempt themselves from participating in a class action lawsuit.
Since Equifax’s initial response on September 7, 2017, the firm looks to have received some significant communications and crisis management advice from an outside firm. The tone of the firm’s messaging is noticeably more conciliatory, and they have rescinded on a few of the more eyebrow-raising statements. It’s hard to look away, though, from the fact that three executives sold off nearly $2 million USD worth of stock. Something in the water smells fishy (beyond the usual data breach nastiness), and consumers have taken note.
Security practitioners, for their part, are not known to be especially empathetic to others’ security mishaps, especially when it’s a breach the size, scope, and impact of the one from Equifax. But there is one thing Equifax did right. And because, as professionals, we should always strive to seek teachable moments instead of complaining about what’s passed, I want to highlight this. Because the rest of the incident is nothing short of a complete disaster.
A lot of media outcry has centered around the length of time between discovery of the breach and public disclosure. Equifax has stated that it discovered the breach on July 29, 2017, just shy of 40 days before the official announcement. And while forty-ish days might feel like a lot of time if your identity is on the line, in the scheme of regular incident response proceedings, this delay is not out of the ordinary. Bill Dean, Senior Manager of LBMC Information Security Services, has worked hundreds of security incidents during his time as an incident responder and forensic investigator and says that (most) companies that detect a potential breach and are diligently trying to do the right thing will take the time and procure the resources to ensure that, when an announcement is made, the information is correct—that a breach indeed occurred and that harm was caused.
It is entirely possible, says Dean, that a compromise can be identified but that no actual breach has taken place. For instance, an unauthorized party may have accessed a database with sensitive data, but the data was fully encrypted, so upon further inspection, a “breach” cannot be declared. Maybe that same data was accessed (unencrypted) but there is no evidence to support that it has been copied or exfiltrated. Or, perhaps, an intrusion is found from a suspicious IP address, but after an investigation, the forensics team finds that the person accessing the data was authorized to do so; he was on a business trip at the time of access.
Before going to market with an announcement warns Dean, organizations should be “as technically accurate as possible—turning over every stone to confirm that data was breached and not just compromised.”
Now, when it comes to highly sensitive data, it may be the right thing to do for businesses to report a compromise. How many organizations would seriously consider that, though? Not many (which is why every consumer should take publicly disclosed data breaches as just the tip of the iceberg. In other words, much of your PII is available to cyber criminals. Someone who shouldn’t has your credit card number. Your best friends and enemies can find out where you live. Your birth date is practically a matter of public record). Therefore, you can expect that the typical organization will do its damndest to achieve a high level of probability that systems were breached before going public. Equifax may have committed a bevy of sins, but if the postponement was to conduct a thorough initial investigation, 38-ish days isn’t remarkable.
Finally, says Dean, because the U.S. does not have a federal standard for breach notification, it’s not atypical for companies to surpass a 30-day mark. While optimal, sometimes 30 days is just too quick to be completely confident. Now, when GDPR comes into play in the UK, companies that collect, manage, and store data of UK residents (which Equifax does) will have stricter requirements by which they must abide or suffer consequences. Had the Equifax breach happened after May 25, 2018, estimates put fines at $100 million. That’s on top of costs to clean up damage, restore systems to working order, and settle lawsuits. So for those companies preparing for a breach, understanding regulation requirements is a must.
It’s natural to judge and jump to conclusions when calamity has struck. And when security practitioners are both experts in a certain area and victims and victims of an incident, the wrath is at an all-time high. It’s prudent, though, to remember that most companies, at some point, will experience a breach. When you’re the security expert responsible for managing post-breach activities, your view on breach notification may be different than when you’re looking in from the outside.
When it’s your organization—or your own company—at risk, will you take precautions to be 100% certain before notifying customers and partners?
To learn more about similar topics that impact your day-to-day role, be sure to visit our Threat Intelligence Summit in Austin, Texas this November, or the highly anticipated InfoSec World Conference in Orlando, Florida in March.