Equifax Hack – Takeaways for Small Business
Posted by Timothy Platt on Sep 10, 2017
Key Points About the Equifax Hack (Data Breach) for Small Business
As you’ve probably heard, this week Equifax Inc. (one of the “big-three” credit bureaus) announced a cybersecurity incident that involved a data breach of 143 million U.S. consumer records. A data breach is a form of computer hack where confidential or private data is exposed – accessed, viewed, or stolen by unauthorized individuals. The information that was exposed includes: names, Social Security numbers, birth dates, addresses and some driver’s license numbers, amongst other things. Some credit card numbers were also exposed. This data breach exposes millions of US citizens to potential Identity Theft.
The records were accessed by criminals who hacked into a web server run by Equifax. The criminals had access for an extended period of time – from May through July of this year. This means the information is certainly now in the hands of individuals who could use it for Identity Theft – or for sale to those that would.
In this article, we’ll discuss the key takeaways from this incident. Let’s learn from other’s mistakes.
How Did the Breach Happen?
It’s still early, but all signs point to hackers using a software vulnerability in a web server run by Equifax to gain access. A vulnerability is a bug or defect in the underlying computer code that allows unintended usage or attacks. The specific software component under scrutiny is the Apache Struts Web Framework, an open source software component that is very popular, and in use by thousands of companies big and small. But, it’s important to note that all complex software has bugs – and security vulnerabilities, this is not a problem specific to Apache Struts.
It’s also possible that multiple vulnerabilities were used in some fashion to gain access to the data. We don’t know details at this point in time.
Who Took the Data?
The incident is being investigated by a specialist firm that provides cybersecurity and forensics services. Details regarding who stole the data isn’t publicly available, and the truth is we’ll likely never know.
Can the Data Be Recovered or Invalidated?
There’s certainly no chance to recover the data, as in the realm of digital data, there could be hundreds or thousands of copies worldwide already.
In digital terms, once private data is exposed, it’s exposed forever.
And that is what makes this particular breach significant, so much of the information is not changeable – SSN, Date of Birth, home addresses. There’s no easy path to tell users to change their password or other steps that can invalidate what was stolen.
The other significance of this event is the sheer size – 143 Million records means 44% of the US population are potentially impacted by this.
What Potential Damages Will Consumers Incur From This Incident?
As mentioned above, anyone impacted by this breach is now at a greatly increased risk of Identity Theft. Fraudulent credit accounts, fraudulent income tax returns, and a variety of other damaging incidents are now possible. Consumers will need to be vigilant for fraudulent transactions, may need to procure credit freezes, fraud alerts, or credit monitoring services. If Identity Theft happens, the time and expense to un-do the damage will be significant.
What Damage Will Equifax Incur From This Incident?
Equifax’s reputation and brand standing will undergo intense scrutiny. Consumer confidence is lost. They are already facing a multi-billion dollar class action lawsuit. They will likely undergo intense scrutiny from one or more government institutions and regulators, such as the Federal Trade Comission (FTC). They will probably be blamed (rightly or wrongly – it doesn’t matter) for the majority of Identity Theft that will occur for the next few years.
This will significantly impact their revenue, expenses, and business productivity for years to come.
What Are Best Practices to Help Mitigate Cybersecurity Incidents?
While we don’t know all the specifics of this incident to comment specifically, we can talk in general terms of best practices.
First, we need to talk in terms of how you prevent cybersecurity incidents. The array of threats that can lead to a data breach are diverse. Software bugs or vulnerabilities are only one part of the bigger picture. A defense in depth approach to cybersecurity is needed. Defense in depth means layering best practices to make it difficult for a breach to occur.
- Security must be designed and implemented up front – the best protection is “baked in” to the systems and databases used to store the data.
- Security patches must be applied regularly – this includes both operating system level patches, framework patches, and application level patches.
- Custom code must be designed for security – and should be tested – both as it’s developed and in an ongoing fashion
- Encryption – The real-world happenings of the past few years have indicated that we need more encryption. What’s that? It means cryptographically encoding data using secure keys, ensuring that only those with the proper key can read the data. Encryption at rest (as the data sits in a file), encryption in transit (as the data moves over the Internet, for example), and even encryption in memory are all things to consider. Not all data needs to be encrypted, but information that is highly confidential such as PII, HIPAA, PCI-DSS, etc. should be protected with this extra layer of security.
- Penetration Testing – This is an industry term for using white hat hackers to actively attempt to gain access to systems – the ultimate test of security – pitting individuals with the same mindset and skillset as a “black hat” hacker against your system’s defenses.
- Employees must be trained to recognize and avoid security threats – such as phishing emails, social engineering, and other threats. The weak link is often the human in the loop.
And there’s more. But what you require depends on what sort of data you store and use, and how you use it, and what your customers, partners, and industry regulations require.
Another key point from this real-world incident – if your company stores sensitive data it needs a cybersecurity incident response plan. The worst time to put a plan together is during an incident. Equifax is currently taking a lot of heat for a haphazard and poorly conducted response to this incident.
- What data do you have?
- Is it secured (and how)?
- What would be the potential damage if it leaked?
- How would you respond?
- Will your customers and partners be asking you these same questions now?
There are many things to consider, and addressing them all would require detailed planning, and a phased project plan for implementation.
Get Help from the Security Experts
We hope this information has been helpful. Your situation and unique requirements will need specific assessment. And remember, we’re here to help. If you’ve got a security or privacy related challenge, reach out to us – we’d love to help. We can assess and advise on your current state of security, as well as help draft a incident response plan.
IT Support by Virtual Operations
Virtual Operations provides IT support for small businesses in the Orlando and Central Florida area. Our managed IT services offering provides the expertise and quality care your small business needs. Please contact us today to find out how we can help with your computer support and network support needs.