Victim of a computer breach? Bad examples to be avoided

By Risk Performance and Technology group

Original, as it appears on FacteurH –

This massive, new data breach affected 143 million consumers, including Americans, Canadians, and Britons.

This incident caused the company to nosedive on the NYSE (NYSE:EFX); with the US credit rating agency’s shares dropping more 13% on after-market exchanges.

The stolen information included social insurance numbers, active credit card numbers and their limits, personal information (birth dates, phone numbers, addresses, and so on). So what, you say? Remember your last phone conversation with your bank? The security questions to verify your identity? Everything is there. In fact, because of this consolidated information, a fraudster can easily spoof the identity of innocent victims like you and me.

What errors were made?

  1. Security monitoring: Following an internal investigation, Equifax believes the attack dates back to May of this year and was detected in July, which was five and three months, respectively, before the public announcement. I often say that you would have to be “blind” or “deaf” not to know whether you were a victim of a cyberattack. In fact, the absence of security monitoring tools and active security supervision practices is still the primary cause of such dramatic delays. Clearly, much of the fraud was perpetrated once the data was stolen, during the hundred days separating the theft from the announcement and public reaction. The absence of supervision is a form of negligence.
  2. Communicating much too late with the first to be affected: Taking several days to notify of a significant cyberattack that impacts clients is a lot. Several weeks is unacceptable; several months—I’m not too sure what that is. Nothing justifies the absence of communication with persons affected by a data breach, especially when this data allows for the victims’ identities to be spoofed. Remember that this data belongs not to Equifax, but to their clients. The clients trust the company to protect and safeguard this sensitive data. The other consequence of this error was the immediate appearance in the media of a conflict of interest in which the famous three Equifax senior executives sold some of their shares in the company following the discovery events internally.
  3. Vulnerability tests and cybersecurity assessments were clearly non-existent, ineffective or… The subsequent security recommendations were correctly applied. Everyone needs to do an assessment of good security hygiene. It actually determines our responsibility for the existing controls that are supposed to protect confidential data. Following the attack, several international security experts tweeted previous evidence of Equifax system vulnerability. The PCI standard that certifies organizations storing or transmitting credit card data requires that these organizations conduct vulnerability tests on their computer infrastructures. Unfortunately for Equifax, the site that had been urgently created and made available by the company to help them was identified as dangerous.

What are the lessons to be drawn from this situation?

  • Ensure that you have a good understanding of the data ecosystem—your clients, associates, organization, partners, and suppliers—for which you are responsible.
  • Ensure that you keep this data physically close, under your control and properly encrypted at rest and in transit.
  • Ensure that you properly identify the regulations applicable to the data for which you are responsible.
  • Ensure that you have your security posture analyzed by cybersecurity experts.