7 Takeaways From The Equifax Data Breach
The exposure of PII belonging to 143 million US consumers raises questions about the continued use of SSNs as identifiers, breach liability and app sec spending.
September 11, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2f38531a4b0a1558/64f0d7741d4a42fd9b28ce25/01-equifax.jpg?width=700&auto=webp&quality=80&disable=upscale)
Credit bureau Equifax's disclosure last week that unknown intruders had broken into its systems and accessed sensitive data on 143 million US residents has evoked a mixture of resignation, concern, and outrage.
The resignation stemmed from the fact that the breach is identical to countless ones before it. Once again a security hole in a Web application gave intruders a way to break into a major company's systems and siphon out a massive amount of data over more than two months without apparently triggering any alarms. The pattern has become so familiar in recent years that there really are no new lessons to be learned from these breaches anymore, at least from a security preparedness standpoint.
The sheer scope of the Equifax compromise has caused a lot of concern. The breach could well be the largest ever involving the exposure of Social Security Numbers, driver's license numbers, and other personally identifiable information. Victims could be at risk of identity theft and impersonation fraud for the conceivable future.
What has caused the outrage is Equifax's apparent security lapses in allowing a breach of this magnitude to happen. Many feel that Equifax, as a company handling vital PII belonging to a very large swath of the American population should have been especially careful about protecting the data. Instead, it appears to have allowed the breach to happen because of its failure to address an Apache Struts vulnerability that it should have known about and addressed.
A lot has been made about the growing sophistication of threat actors and the arsenal of increasingly deadly cyber tools at their command. The depressing reality, however, is that the bad guys rarely need to deploy anything more than rudimentary tools and techniques. As SentinelOne's chief of security strategy Jeremiah Grossman points out, many breaches can be prevented. "If we review the history of breaches, very few, if any, were the result of an exploit or attack technique that couldn't be seen coming," he says. "With respect to the vulnerabilities exploited, we know everything about them—how to prevent them, detect them and fix them." But people in the best position to make an impact are not incentivized to do so.
Here in no particular order are seven takeaways from the Equifax breach:
Application-level vulnerabilities have caused far more data breaches in recent years than any other vector. Equifax too blamed its intrusion on an application security issue but the company has not specified what exactly it was. But Baird Equity Research identified the issue as a known security flaw in the open-source Apache Struts framework for Java apps.
If accurate, the report would confirm the consensus opinion among most security analysts that the application vulnerability was something that Equifax should certainly have known about and have been protected against.
The dangers posed by buggy web applications - and the sheer number of vulnerable applications out there - are both well understood. The Open Web Application Security Project's (OWASP's) list of top web application security vulnerabilities have included more or less the same issues for the past several years - meaning that people have had enough time to address them.
Yet, as breaches like the one at Equifax have kept highlighting over the years, clearly many are not paying heed.
As countless organizations have discovered in recent years, data breaches can be very costly. The direct and indirect costs of a major breach, including those related to notification, remediation, credit monitoring, lawsuits, fines, and lost productivity can sometimes add up to tens and even hundreds of millions of dollars.
The total costs from the 2014 breach at the U.S. Office of Personnel Management that exposed a mere 21 million SSN -compared to the gigantic 143 million exposed by Equifax - in fact is expected to top a staggering $1 billion. Target, as Baird Equity noted in its report, incurred costs of $292 million, Home Depot's breach cost is $198 million, while Anthem paid out a $115 million settlement.
TJX and Heartland Payment Systems, which suffered massive payment card breaches many years ago, ended up paying more than $250 million and $140 million respectively to address the fallout from those incidents, and this was years before people had begun getting really lawsuit-happy over breaches.
The Equifax breach is likely going to end up being the largest-ever involving SSNs, so the potential cost implications for the company could be significantly higher than any of these numbers.
The only reason why breaches such as this matter so much is because private and public sector organizations continue overwhelmingly to use Social Security Numbers as an identifier.
Despite broad knowledge of the fact that stolen SSNs enable widespread identity fraud and financial misuse, the numbers are still used to authenticate identities for almost every conceivable purpose including those related to health care, transportation, Social Security benefits, financial services and mortgages. SSNs remain the same for individuals and cannot be changed which means once it is compromised, the victim is at constant risk of fraud and impersonation.
Efforts to eliminate the over-collection and unnecessary use of SSNs within government have been underway for several years. There have even been attempts at regulation that would require government entities to use an alternate identifier. But a study by the U.S. Government Accountability Office (GAO) earlier this year found that even 10 years into the effort SSNs remain widely in use across government. The situation is the same across the private sector.
It has become standard for companies that suffer a data breach to offer one year's worth of free credit monitoring for victims. Equifax has done so already. While such monitoring is better than nothing, it still does not amount to a whole lot.
Data like your Social Security Number and birth date don't change over time. As long as it is floating out there in the wild, and as long as organizations continue to use them as identifiers the numbers can be misused for fraudulent purposes, at any time and years after a breach incident.
There is absolutely nothing to indicate that the risk of your data being misused somehow suddenly stops after one year. What that means is, once the free monitoring stops you need to likely put a freeze on your credit or continue with the monitoring on your own coin to be safe.
The use of stolen personally identifiable information (PII) such as SSNs, birth dates and driver's license data in identify theft and impersonation fraud can be very costly for victims of breaches, like the one at Equifax. In the underground market though, dossiers that contain full sets of PII on individuals - or 'Fullz' as they are referred to - currently are cheaper to buy than certain categories of credit card data, according to research from Secureworks.
Depending on factors like who's selling, the victim's country, and additional information like a full passport scan of the victim, a Fullz record can fetch maybe around $10. That's in contrast to the nearly $20 per card that credit and debit cards with high balances can garner on the Dark Web, Secureworks' research showed.
One reason why PII records are cheaper - though they hold a potentially much bigger upside from a crook's standpoint - is probably because identify and impersonation fraud are harder to pull of than credit card fraud.
Equifax first discovered the intrusion on July 29th but did not publicly disclose it until Sep. 7. That means there was a period of 40 days between when the company knew that tens of millions of SSNs and other sensitive personal data was potentially being misused, and when victims were told about it.
Breach disclosure laws generally mandate quick notification unless the data is well-protected (via encryption for instance), or if a disclosure would jeopardize an ongoing investigation and similar limited reasons.
When enforcement for the European Union's General Data Protection Requirement (GDPR) kicks in next May, companies like Equifax are going to find it much harder to justify 40-day disclosure times if they happen to handle data belonging to EU residents. In most cases, a company that suffers a data breach involving EU data will need to report the incident to the appropriate authorities within 72 hours. For many that will mean drastically tweaking and updating their existing breach response and notification processes.
Attacks like the one at Equifax and the DDoS attacks on DNS service provider Dyn last year, which caused disruptions for many major websites, are an indication that threat actors are turning their focus on bigger and more impactful targets, said Alp Hug, founder and COO of Zenedge. Recent news from Symantec about the Dragonfly APT group apparently now having the potential to tamper with systems controlling the US power grid would certainly seem to add to those concerns.
"Increasingly, we are going to continue to see this trend of hackers going after larger, more strategic, more impactful targets," Hug noted. "Why go after one nuclear plant, when you can shut down the entire continent. Why go after one hospital and its devices, when you can go after all IoT devices from a manufacturer?"
Attacks like the one at Equifax and the DDoS attacks on DNS service provider Dyn last year, which caused disruptions for many major websites, are an indication that threat actors are turning their focus on bigger and more impactful targets, said Alp Hug, founder and COO of Zenedge. Recent news from Symantec about the Dragonfly APT group apparently now having the potential to tamper with systems controlling the US power grid would certainly seem to add to those concerns.
"Increasingly, we are going to continue to see this trend of hackers going after larger, more strategic, more impactful targets," Hug noted. "Why go after one nuclear plant, when you can shut down the entire continent. Why go after one hospital and its devices, when you can go after all IoT devices from a manufacturer?"
Credit bureau Equifax's disclosure last week that unknown intruders had broken into its systems and accessed sensitive data on 143 million US residents has evoked a mixture of resignation, concern, and outrage.
The resignation stemmed from the fact that the breach is identical to countless ones before it. Once again a security hole in a Web application gave intruders a way to break into a major company's systems and siphon out a massive amount of data over more than two months without apparently triggering any alarms. The pattern has become so familiar in recent years that there really are no new lessons to be learned from these breaches anymore, at least from a security preparedness standpoint.
The sheer scope of the Equifax compromise has caused a lot of concern. The breach could well be the largest ever involving the exposure of Social Security Numbers, driver's license numbers, and other personally identifiable information. Victims could be at risk of identity theft and impersonation fraud for the conceivable future.
What has caused the outrage is Equifax's apparent security lapses in allowing a breach of this magnitude to happen. Many feel that Equifax, as a company handling vital PII belonging to a very large swath of the American population should have been especially careful about protecting the data. Instead, it appears to have allowed the breach to happen because of its failure to address an Apache Struts vulnerability that it should have known about and addressed.
A lot has been made about the growing sophistication of threat actors and the arsenal of increasingly deadly cyber tools at their command. The depressing reality, however, is that the bad guys rarely need to deploy anything more than rudimentary tools and techniques. As SentinelOne's chief of security strategy Jeremiah Grossman points out, many breaches can be prevented. "If we review the history of breaches, very few, if any, were the result of an exploit or attack technique that couldn't be seen coming," he says. "With respect to the vulnerabilities exploited, we know everything about them—how to prevent them, detect them and fix them." But people in the best position to make an impact are not incentivized to do so.
Here in no particular order are seven takeaways from the Equifax breach:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024