What To Learn From The Equifax Data Breach
In 2016, successful breaches via flaws in websites and mobile apps accounted for 30% of the nearly 2,000 disclosed data breaches worldwide. The average company spends only 3% of its security funds on protecting the websites and mobile apps so frequently targeted by hackers. Instead, the majority of their security budgets remain allocated to tools and services to protect legacy network or hardware systems that pose less risk.
Equifax, the U.S. credit-reporting company, data breach exposed the personally identifiable information of 143 million people. A class action lawsuit has already been filed that the cost of the hack is around $70 billion in damages. Initial reports claim that a bug in the Apache Struts, an open-source web server software that provides a programming framework for building web applications in Java, was the root cause of the compromise.
Even if this is true, it might not be the only vulnerability that existed or enabled the attack. A single point of failure should not result in a compromise of 143 million highly valuable records. These breaches are a failure of leadership and culture as much as they are failures of network security.
Here are some of the biggest issues Equifax dealt with following its cyberattack:
DELAYED DISCLOSURE: Equifax discovered that its systems had been breached on July 29 and reported it more than a month later, on September 7. Equifax said hackers accessed the information starting on May 13, but the Wall Street Journal reported that the first "interaction" with hackers happened on March 10. The company registered the domain name equifaxsecurity2017.com, the website Equifax directed customers toward to learn more about the breach, on Aug. 22, more than two weeks before the hack was publicly disclosed, according to the Wall Street Journal. Notification shouldn't be arbitrary or an afterthought. The company's transparency to consumers and shareholders should be the primary line of questioning.
REACT TO THE HACK: Shortly after the breach, three executives sold shares worth almost $1.8 million. Equifax claims that those executives did not know of the breach at the time of the sale, but their actions did exacerbate the PR nightmare that has ensued. That reaction was then worsened when Equifax attempted to limit recourse of those impacted. Meanwhile, many consumers trying to figure out the fate of their own personal information were left puzzled by the company's sputtering response so far.
FREE CREDIT MONITORING: Equinox announced a free service to help consumers protect themselves in the wake of its massive data breach. Credit monitoring services protect you by keeping tabs on your credit reports at the three major credit reporting agencies — Equifax, Experian, and TransUnion — and alerting you to any changes in activity that could indicate possible fraud. But some experts recommend saving your money by doing something that’s potentially even more effective: freezing your credit on your own, locks down your report entirely. You can’t apply for a new credit card or a loan until you unlock the freeze yourself.
The Equifax hack is a wake-up call, but we have had more than enough wake up calls. Organizations must realize that good security programs require a program that entails a comprehensive protection, detection, and reaction strategy.