Equifax announced a massive breach that could impact at least 143 million US consumers. That’s 44% of the US population. This breach will have a significant impact on a lot of people.
Companies in the financial sector take cybersecurity very seriously. Part of that work is accepting the reality of today’s threat landscape. Security teams work to prevent as many attacks as possible but also practice and plan to recover quickly when a breach does occur.
Cybersecurity incidents are complex in nature. Businesses that operate at the scale of Equifax have a lot of moving parts and many different teams that need to co-ordinate their work.
All of this work has to happen while the day-to-day business of the company continues as undisturbed as possible. It’s a difficult balance to maintain.
Based on their current statement, we know a few of the facts:
- Attackers had access to the data mid-May to 29-July-2017
- Once the company detected the intrusion, they stopped it
- Once stopped, they called in an reputable outside firm to help with the forensics
- After assessing the impact to consumers, they’ve taken steps to help protect them from further damage
From the outside, this shows us that Equifax has a strong incident response process in place and that process is working. Some may question calling in an outside firm to help with the forensics but they are a couple of significant advantages to doing so.
The first is to have more hands on deck. A true forensics investigation takes a lot of time and is a huge undertaking. Getting additional trained staff to take on this work allows the core team to continue to defend the network and help restore operations.
The second advantage is that an outside team approaches the problem with fresh eyes and no preconceptions about how various systems are integrated. They ask questions that existing teams may overlook.
Equifax hasn’t released any technical details about the intrusion yet beyond that the attackers used an vulnerability in one of their applications to gain access. That’s ok, that information isn’t valuable to the impacted consumers at this point.
What is important is the communications around the breach and that’s where Equifax stands out as a positive example.
Most breach notifications follow a very predicable pattern. It’s one we’ve seen used time and time again and it’s long been a sore point for most people in the security community (myself included as I’ve been complaining about it for years now).
The general pattern is this:
- We’ve had a breach
- Don’t worry & don’t blame us
- We’re doing what we can to make this go away
- Here’s some basic coverage to protect your credit score
Breach communications are often written in legalize or least in bland corporate speak. Understandably so as they are designed to minimize liability as well as reduce panic or concern. It’s an unfortunate example of good intentions getting pushed down by process.
Equifax bucks this trend and—while the language could still be less formal—does a fantastic job of clearly explaining the issues at hand.
Their statement (which has already been updated to include new information) clearly states the:
- scope of the breach
- 143 million US consumer records
- An unknown number of Canadian and UK consumer records
- ~209,000 US consumer credit cards
- Dispute documents relating to ~182,000 US consumers
- steps they taking to gather more information
- how that information is being communicated to affected consumers
- who they are working with to address the situation
- what they have already setup to help consumers deal with the situation
- that they accept ownership of the issue
It’s this last point that really stands out. In the breach notification, they have a quote from their Chairman and CEO, Rick Smith. Having a senior executive quoted in a notification is somewhat common, though it’s rarely the CEO. Equifax takes this a step further and has a video from Mr. Smith explaining the situation.
Equifax is the victim here. But they’ve put that aside and their leader is on camera taking ownership of the issue and doing his best to help affected consumer deal with the situation.
This is exemplary work by their incident response team.
Cybercrime is a growth area for criminals. Data is extremely valuable and a dataset of this size could be worth $27 million or more in the digital underground (based on the lowest pricing in our North America Underground paper. Page 14. $19 per 100 records).
That’s why we’ll continue to see more and more attacks by criminals moving forward. Despite the defenders best efforts, some of these attacks are going to be successful.
Where teams will fail is by failing to plan for a breach. Incident response plans should clearly lay out responsibilities, how teams communicate (outside of email), and a pre-approved external communications plan that you can work from. This is not a scenario where you want to be shooting from the hip.
Equifax was clearly prepared to handle the fallout from a breach. That’s a sign of a well trained, well prepared team. We should all follow their example.
Are you prepared to handle incidents when they occur? How has your organization’s leadership reacted to your external communications plan? Let me know on Twitter where I’m @marknca or connect with me on LinkedIn.