It is now common knowledge that credit reporting agency, Equifax, was hacked. Lost to the hackers was personal and permanent identifying information of over 143 million people. 693,665 customers in the UK were affected. Hackers have stolen Social Security numbers, driving license numbers, user names and passwords, and partial credit card details, as well as other financial and credit related information.
Social Security numbers are forever. The victims will be at risk of identity theft for the rest of their lives. Could Equifax had done a better job protecting this information? Most definitely. Here are five simple protections that Equifax could have implemented to keep their network secure and their customers safe.
1. Strong Passwords
A security research firm called Hold Security was able to acquire administrative access to the Equifax website in Argentina. In doing so, they gained access to employee records, consumer complaint information and other personal and confidential information. How did they do this? Simple: they used the default password that many manufacturers use when they ship a product. The user name is “admin” and the password is also “admin”. For security reasons, manufacturers recommend immediately changing this login information once products are installed. Yet, astoundingly, many small businesses and even multinational corporations do not take the time to change usernames and passwords. This makes it very easy for hackers to access their systems. This may or may not have been a factor in the latest Equifax breach. However, it is reasonable to assume that the lack of a strong password management policy in Argentina will be found at other sites.
Network security is not the exclusive responsibility of the IT team. Every person in the organisation with access to network resources has the responsibility of protecting those resources. This includes complying with corporate access management policy when using personal devices such as smartphones, laptops and tablets. All employees should have endpoint security on their home networks if they access work resources from home. Furthermore, all employees should be cautious when clicking links or attachments in emails, regardless of how official they appear. If you did not ask for that link, do not click on it. Many non-technical employees are not made aware of these and other safeguards. It is the responsibility of the CEO to ensure that IT policies are implemented and that all employees receive training. Furthermore, penalties for breaching security policy should be enforced.
3. Access Management
All of the information on corporate systems does not need to be made accessible to every employee. There should be multiple levels of access, with personal and confidential information being off-limits to people who hold certain positions in the company. Using Equifax as an example, even the CEO of a company does not require full access to all records, at all times. For even deeper protection, Data Loss Protection (DLP) appliances connected to network access links by intelligent TAPs can set and enforce policies that determine what data formats are not allowed to be downloaded to certain devices. For example, a policy could be set restricting the downloading of any National Insurance number with a given format; the restriction could apply regardless of the user’s credentials.
4. Executive Training
In order to maintain what credibility is left after a major breach of confidence, the company needs to carefully navigate the post-breach waters, showing empathy for the victims and a willingness to do whatever it takes to remedy the situation. The Equifax response fell a little short. Firstly, they did not notify the public of the breech for approximately five weeks. Meanwhile, executives were selling stock. The remedy offered to the consumer victims is credit monitoring for one year. The mismanagement has put life-long personal information in the hands of thieves, and Equifax is promising to protect victims from these cybercriminals for only one year. The stolen information can be used and sold by the hackers, allowing thieves to open credit accounts, file fraudulent tax returns, obtain loans and buy products for life. Dates of birth and National Insurance numbers do not expire.
Ransomware hackers make a habit of encrypting data. The data is not theirs. However, once they access it they encrypt it. Then, they charge the victim for the key to decrypt the data. The victim’s data is worthless and unusable until the key is purchased. Imagine if Equifax had encrypted the personal, confidential and perpetually usable data in the files of 143 million of their customers. Even if the hackers had penetrated the passwords, firewalls, IPS, DLP, and other access control and protections on the network, encrypted customer data would be worthless to them.
There is now a £50bn Class Action lawsuit being prepared against Equifax. Any company that holds confidential customer information in a networked environment needs to be extremely vigilant in protecting that information. The cost of a breech, as we see here, is much greater than the cost of building a robust security platform and training all employees on security policy. At the end of the day, keeping customers safe from cybercriminals is the natural priority.