The Equifax Breach One Year Later: 6 Action Items for Security Pros
The Equifax breach last September was the largest consumer breach in history. We talked to experts about lessons learned and steps companies can take to prevent and minimize future breaches.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2fc8423c10718b64/64f0d5b525b2c6db3d27b65c/shutterstock_1170168391.jpg?width=700&auto=webp&quality=80&disable=upscale)
Large breaches have become such a fact of everyday life for the past few years that it’s easy to pass off the Equifax breach last September as just another in a long string of bad security news. But make no mistake about it: this was a huge breach that will take several years to sort out.
When the dust settled earlier this year, Equifax finally disclosed that 147.9 million people were affected in some way. Sensitive personal information was stolen, including the names, Social Security numbers, and dates of birth of the victims, as well as phone numbers, email addresses, and genders.
George Avetisov, CEO of HYPR, says while the breach itself caused great harm, rank-and-file consumers and companies not directly affected by the Equifax breach are still at risk because all that personal data still resides on the Dark Web and can be used for future account fraud, synthetic identity attacks and credential re-use.
"We know how many consumers had their data stolen," Avetisov says. "But it's difficult to quantify the impact, as we may never know the full extent of the account fraud and credential re-use that will stem from the Equifax breach for years to come."
Avetisov and other experts say companies must do all the security hygiene basics: such as more patching more effectively, deploying encryption and tokenization, and above all, taking better care of their data.
"Companies have to start treating data as something of value," says Brian Vecci, technical evangelist at Varonis. "Start by turning on the lights and finding what data you have."
In putting together this slideshow, we talked to Avetisov and Vecci; Julie Conroy, research director for Aite Group’s Retail Banking practice; and Peter Firstbrook, a research vice president at Gartner who focuses on security.
Too often in security we are our own worst enemies. Most analysts agree that the Equifax breach could have been prevented or minimized if the company had instituted a solid patching system that would have identified a vulnerability in an Apache Struts application. While companies need to focus on encryption and do a better job at data management, Peter Firstbrook, a research vice president with Gartner who focuses on security, says setting up a consistent patch and configuration management program can prevent the vast majority of breaches. A ServiceNow study conducted by the Ponemon Institute found that 57% of breaches could have been prevented by an available patch.
In today's threat landscape, it's not a matter of if the organization will be hacked, it's a matter of when. Julie Conroy, research director for Aite Group's Retail Banking practice, says companies must assume they will get hacked, so working to devalue the data makes the most sense. "So when the hackers get in, there's very little of value available to them because the data is encrypted," Conroy adds.
George Avetisov, CEO of HYPR, says companies have to change their mindset about data management. While inconsistent patch management played a major role in the Equifax breach, Avetisov maintains that by centralizing user PII, Equifax left itself open to a single point of failure. Avetisov says that companies have to do a better job managing data. They can start by asking important questions such as: What sensitive data do I have? What is it used for? Do I really need all of this sensitive data, and, what data can I delete? Avetisov says many companies are starting to move away from the single point of failure by decentralizing credentials such as passwords, credit card numbers, and biometrics.
"Apple triggered this paradigm shift with the introduction of Apple Pay in 2014," he says, adding that in 2018, Apple announced that future iPhones will let users store medical data, which will help speed up the decentralization of health records.
Large breaches have become such a fact of everyday life for the past few years that it’s easy to pass off the Equifax breach last September as just another in a long string of bad security news. But make no mistake about it: this was a huge breach that will take several years to sort out.
When the dust settled earlier this year, Equifax finally disclosed that 147.9 million people were affected in some way. Sensitive personal information was stolen, including the names, Social Security numbers, and dates of birth of the victims, as well as phone numbers, email addresses, and genders.
George Avetisov, CEO of HYPR, says while the breach itself caused great harm, rank-and-file consumers and companies not directly affected by the Equifax breach are still at risk because all that personal data still resides on the Dark Web and can be used for future account fraud, synthetic identity attacks and credential re-use.
"We know how many consumers had their data stolen," Avetisov says. "But it's difficult to quantify the impact, as we may never know the full extent of the account fraud and credential re-use that will stem from the Equifax breach for years to come."
Avetisov and other experts say companies must do all the security hygiene basics: such as more patching more effectively, deploying encryption and tokenization, and above all, taking better care of their data.
"Companies have to start treating data as something of value," says Brian Vecci, technical evangelist at Varonis. "Start by turning on the lights and finding what data you have."
In putting together this slideshow, we talked to Avetisov and Vecci; Julie Conroy, research director for Aite Group’s Retail Banking practice; and Peter Firstbrook, a research vice president at Gartner who focuses on security.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024