In 2017, Equifax hit the headlines when over 147 million customers had their account data exposed. The attack has gone down in history as one of the most damaging; not just for people, like you and me, who had our personal data put up for sale on the darknet. No, this breach has hit home hard. Firstly, the ex-CIO Jun Ying, ended up with a 4-month jail sentence for insider trading, when he sold off shares before telling the rest of us about the breach.
And now…just when it feels like it can’t possibly get worse, Equifax has done it again and shocked us with some of the worst security practises, ever!
Digging a Security Hole: Where Equifax Went Wrong
After the data breach, there were fines, including one from the UK’s Information Commissioner’s Office (ICO) for £500,000. But beavering away in the background a civil class action was being prepared. The details of this class action are available, and we have read through the shocking FAILS that lead to the Equifax data breach.
Here are some of the details of the civil action file, prepare to roll your eyes to the heavens, it doesn’t get much more horrifying in security than this.
Recognised Security Target
This is important…The action points out that Equifax was fully aware that it was a high-profile target for a cybersecurity attack. The SEC filings specifically point out:
“…it (Equifax) was regularly the target of criminal hackers, and that a cybersecurity incident could subject it to a variety of serious consequences”
The file continues stating that Equifax placed a notice on its website that the company applied:
“strong data security and confidentiality standards” and maintained “a highly sophisticated data information network that includes advanced security, protections and redundancies.”
The Plaintiff’s Claims
The plaintiff in the case sets out that Equifax, security measures were “grossly inadequate,” and “failed to meet the most basic industry standards.”
The action also levels some eye-opening claims about how poorly managed security was at Equifax.
Some poor individual had the lone responsibility to patch the entire network at Equifax. To make matters worse, this person didn’t have any tools to make them aware of vulnerable software. Good practise says that you should automate patching at the least – a large organisation like Equifax had no excuse not to follow best practices.
Encryption of data and data storage
So, lack of patch management is bad enough, but Equifax didn’t even encrypt much of the sensitive data in their care.
And… wait for it…not only was data left unencrypted, but it was on a public-facing website too.
When they did encrypt data, an audit by Deloitte in 2016, found encryption keys left on a public-facing server for anyone to use – a little like leaving your house keys in the lock.
And there is more! The transmission of data over the internet wasn’t encrypted either: Equifax this is security 101!
Any cybercriminal hacking the webserver, could literally gorge on a feast of data.
Authentication at this juncture is almost at the ‘what’s the point stage’. However, if you want to know how NOT to do secure login, read on.
We all know that data breaches are common. Yet, Equifax used easily obtainable information such as the four digit pins derived from Social Security numbers (in the U.S.) and birthdays to create passwords.
This lack of robust passwords policy continues in the Equifax saga, as they used
To control access to a customer portal that contained large amounts of sensitive data on credit disputes.
The Equifax data breach was massive, but it could have been contained if the company had at least used simple monitoring techniques that create audit logs. Monitoring network events would have alerted IT to something odd and the breach could have been minimised at least. Instead, the cybercriminals were able to steal data over a 75-day period.
How Not to Do an “Equifax”
As it stands, in the U.S., Equifax has agreed to pay USD 575 million, and possibly up to USD 700 million. In the UK, Hayes Connor Solicitors are handling the group action and are hoping for a £100 million pay-out.
Equifax was warned about their security vulnerabilities but took no action. They even had smaller data breaches in the run-up to the big one – a clear message to batten down the hatches.
Equifax is likely to become the poster child for doing security badly. We can all at least learn from their mistakes. The security failures in the list above are a good place to start in making sure your own network is secure. But don’t forget security awareness training. Even people in the IT department need to have training that is tailored to their role. People’s awareness of security issues is your insurance policy. Well trained staff can help to maintain good practise across all departments.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.