Technology Failure of the Year: Equifax
Q3 breach costs:
In the U.S. alone, 145.5 million consumers were impacted by the breach, but Equifax said it also impacted customers in Canada and the U.K.
Attackers were able to exploit an Apache Struts web application vulnerability. A patch to fix the flaw was made available on March 6, two months before hackers exploited the application.
Data encryption status:
Interim CEO Paulino do Rego Barros Jr. said he "didn’t know at this stage" whether Equifax data was still unencrypted at rest, responding to a question asked as part of a Senate committee hearing in November.
Even with the disclosure of an additional two billion breached records from Yahoo, Equifax has reached cybersecurity infamy and is our technology failure of 2017.
Consumers, security experts and lawmakers have made many conclusions and condemnations about the Equifax breach. For example, as part of a Congressional hearing opening statement, Rep. Jan Schakowsky, D-IL, said, "Equifax deserves to be shamed in this hearing."
Equifax's true failure does not lie in its IT security posture. Certainly, its practices highlight errors in how it identified and responded to the incident, but a far more glaring issue is the company's public response.
Immediately after disclosing the breach, stock trading by Equifax executives was called into question, though a committee later cleared them of "insider trading." Confusion also persisted about whether those who opted into free credit monitoring could participate in lawsuits against the firm.
Consumers and some financial institutions have filed more than 240 class action suits against Equifax in federal, state and Canadian courts.
With a breach as large as Equifax's and that much sensitive personal information compromised, the company was obviously going to face widespread criticism. But a thorough response plan without lingering questions would have helped salvage the company's reputation.
Apache Struts patch made available
Equifax believes unauthorized system access began, stemming from unpatched Apache Struts flaw
Equifax discovers unauthorized system access
Equifax takes down affected web application, launches internal investigation
CSO Susan Mauldin contracts King & Spalding to investigate breach
CEO Richard Smith receives briefing on breach and informed that breach may have compromised PII
Equifax publicly discloses the breach, offers credit monitoring and identity theft protection
CIO David Webb and Mauldin retire
2017 Equifax Breach
In particular, Equifax waited too long to disclose and could have improved how it interacted with customers, according to Doug Saylors, director of ISG, a global technology research and advisory firm. Equifax should have also taken steps to prevent the breach, but in the current threat landscape, preventing security incidents is nearly impossible.
Organizations also have to be able to assess breach impacts, but that can prove extremely difficult in enterprise IT environments, according to Kris Lovejoy, CEO of BluVector and the former CISO of IBM.
To assess the scope of incidents, organizations must have technologies in place to monitor and detect attacks, Lovejoy said. If events are detected, that doesn't guarantee analysts will have enough time to respond to all the incidents. And in many cases they may not have ever seen an incident before.
If a breach does occur, organizations might be able to use a log of systems to determine impact and scope of the event. "What people don't realize is those logs oftentimes don't exist. Organizations don't create them and don't collect them because they're expensive," Lovejoy said. And even if a log does exist, it's a big ask to analyze it.
Equifax was a failure of IT security, but many organizations have already faced embarrassing IT failures similar in nature. In such cases, no response is going to be perfect, but accountability is key.
"The only thing that is now a common denominator of all crisis and communications is, whenever something happens, you must fire the CEO," said Eric Dezenhall, CEO of Dezenhall Resources, a crisis communication firm. That, at least, is the narrative that has emerged.
In terms of crisis response, cyberattacks and breaches are now in vogue, and honing a response strategy could help save companies from a harsh bottom line impact.
"The crisis of yesteryear was the product recall. Today it's often the breach because everything is so information based," Dezenhall said. "Consumers have this notion that cybersecurity is something like nuclear war — it's just something you can't think about because it's too big. So when it happens, then it becomes, ‘what did you know and when did you know it?'"
Cyberattacks and data breaches are not going to diminish, particularly with advanced tools readily available for malicious actors. It is imperative organizations create a response plan and security teams know to escalate cybersecurity events of note as quickly as possible.
Follow Naomi Eide on Twitter