As you probably know the Equifax (one of the three big credit bureaus in North America and UK) announced it was breached (discovered unauthorized access) on the 29th of July. So far, the predictions are that this leak of sensitive personal data impacts over 143 Million American, Canadian and British citizens.
What is a credit bureau? – an organization that makes money by gathering and compiling huge amount of data (personal and financial) about customers and selling it to 3rd party marketers with the purpose of being able to provide a credit score for a certain individual to prove that customers’ financial capability when obtaining credit.
Obviously, these incredibly detailed dossiers contain tons of sensitive information that could be used to impersonate a person for either financial gain or to cause harm.
Historically speaking, all credit bureaus have encountered problems keeping their sensitive information secure, Experian for example had a breach in 2015 which exposed data for over 15 Million people.
As investigation is on the way (after the detection of the breach in July, Equifax has hired a security company to investigate all details of the breach and the depth of the data leakage and to do proper forensics), there are few released details on what really happened. But what is known so far is very troubling and does not look good for Equifax cyber-security posture. The official statement from Equifax is that the attackers broke into the company’s systems by exploiting an application vulnerability and then gained access to certain files. No mention of the exact vulnerability used which facilitated the breach. The fact that there is no mention of zero-day vulnerability (unknown flow), which could in fact make Equifax less culpable and makes sense for them to highlight, means that the vulnerability was known, meaning that Equifax were not patching on time their internet accessible public services nor had properly configured advanced IPS or security control in place, both are a must when you operate with such highly sensitive data. Other security best practices were obviously not followed by allowing the attackers to get real data after breaching an internet edge service.
Equifax came up with a plan to offer some kind of post factum sense of security to its customers and announced a new portal (www.equifaxsecurity2017.com) where its customers might be able to check if their personal and financial information was amongst the ones that were stolen. However, this portal did not give any such information but usually it was either not working (gave System Unavailable message probably due to high load) or was experiencing certificate issues and hence has been blocked by many web security solutions (such as Cisco OpenDNS) or when they finally got it to work – was giving unclear information, a possible scheduled date for enrolling to another service (credit protection) called TrustedID. On top of that some security researchers have noticed that this output is being presented whether the customer presents real data (the portal asks for Last name and last 6 digits of social security number) or fake made up one. Seems this portal is nothing but an attention diversion from the real problem.
Equifax until recently was looking to hire a vice president of security (they see that position to fulfil the role of a CISO). This position is vital for a company which possess such sensitive information and should not be left vacant. Cyber-security is a mindset and it takes time and persistence to be built. It should always come from the top positions in a large company and have the backing of top managers.
Some simple cyber-security lessons to learn
More materials:
https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans