COVER FOCUS
Equifax Lessons Learned
By Chad Knutson
One of the Most Impactful Breaches to Date
web applications in Java. It reported that most Fortune 100
It's important to know that the details of most data breaches
companies leverage this software. Equifax has recently announced
change over time especially during an active investigation
that the breach was related to a vulnerability that was publicly
usually for the worse. And, it is possible things could get worse for
announced in March. This confirms many experts' suspicion that
Equifax. Here is what is currently being reported:
the breach was a result of slow patch management patches and
Sensitive data belonging to 145.5 million customers have been
not an unknown zero-day vulnerability.
breached (updated as of October 6th to include an additional 2.5
It is also reported that three executives at Equifax, including its
million identities). The leaked information may include:
Chief Financial Officer, President of U.S. Information Solutions,
· Consumer Names
and President of Workforce Solutions, collectively sold shares
· Social Security Numbers
and exercised stock options totaling approximately $1.8 million
· Birthdates
before August 2. The Senate Finance Committee wants details
· Addresses
on these three individuals to determine if they had knowledge of
· Driver's License Numbers (in some cases)
the security breach being investigated prior to selling their stock.
Whether or not they did, the claims of insider trading surely don't
Additionally, the following information may have also been
look favorable for Equifax.
exposed:
On September 15th, Equifax reported that two other executives,
· 209,000 credit cards
their Chief Information Officer and Chief Security Officer, will
· 182,000 consumer dispute documents containing personal
be retiring immediately. These positions will be filled by other
information.
internal team members. On September 26th, the CEO of Equifax
This is a considerable number of records and, to add insult to
Richard Smith also retired amid the fallout of the breach.
injury, it's pretty rich data compared to other breaches. This
Ex-CEO Smith provided testimony to a U.S. Congressional
information would be prime data to conduct identity theft and
Committee regarding the breach and how the events that
will bring a premium on the dark web. This data is valuable to
ultimately led to the breach transpired. While Smith took
open new lines of credit under your name, commit tax fraud, or
responsibility for the hack, he blamed one single individual
create an identity similar to yours and commit crimes. In addition
who was tasked with responsibility for patch management and
to the issues related to the loss of this sensitive data, many other
the software that was vulnerable. Equifax's patch management
things have gone wrong with this breach and the process Equifax
process was found to be lacking, and it was discovered that much
has taken to address it.
of its confidential customer information was stored in plain text.
The Equifax Breach What Happened?
In response to the breach and massive public concern over the
Let's start with what we know about the breach. The following are
lost consumer data, Equifax has setup a website to help people
all great examples of what NOT to do in a data breach scenario.
understand details of the breach and take next steps. The website
was given a new domain name, which has sparked additional
Equifax announced on September 7th that they have been
criticism as the URL looks like a phishing site: https://www.
investigating "unauthorized access" to a web application system
equifaxsecurity2017.com. On their website, they provide you
that it identified July 29th. This authorized access could have
a way to check if you were one of the 145 million affected
started mid-May through July and was made possible because of a
Americans. According to an article by Brian Krebs, this site does
software vulnerability in an open-source software program called
not appear to be producing reliable information. In some cases, it
Apache Struts, which is a programming framework for building
says a particular person is not affected, but when the same data
16
MBA News | November/December 2017 | www.minnbankers.com