Equifax (www.equifax.com) are currently at the centre of what could be considered an information security disaster that is shaping up to shake the US banking sector to it’s core. Over 143,000,000 people have had their information compromised. It is expected that the hackers will release some, if not all, of the information in the coming days if a ransom of 600BTC (Bitcoins – a cryptocurrency – equivalent to $2.66M) is not paid. The hackers claim that they will not release credit card numbers, but this is almost irrelevant in relation to the volume of information held.
There were several places were Equifax failed in their duty of care for their customers and service users; primarily, they were storing sensitive data unencrypted. Sensitive data should be stored in an encrypted manner and if reversible encryption is used, then the keys to decrypt this should have the highest level of protection applied. In the US a person’s social security number (SSN) is considered sensitive information and forms the backbone of credit applications and identity verification, despite at the introduction of the SSN it was clearly stated that it should not be used as a method of identification.
It is this usage of the SSN that will cause the banking sector significant pain – they have lost the cornerstone of their credit issuing process, if the data is released it will be possible for unscrupulous persons to apply for credit cards or loans in other peoples names, and there is no effective way for the banks in the US to protect against this currently.
In addition to this, they were running out of date software on production systems that were exposed to the internet – it is alleged by Equifax that the exploit used to compromise their system was via a 9-year-old flaw in the Apache Struts Web Framework. The Apache foundation have responded to this allegation in relation to the age of the flaw vs when the flaw was actually detected (https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax)
The most significant set of failures however, was in their handling of the breach.
- On August 1st, Less than 3 days after the breach was uncovered by Equifax on July 29th, 3 senior executives, including the CFO, sold almost $1.8M of shares. It is claimed that the executives had not yet been made aware of the breach.
- They [Equifax] were aware of the breach on the 29th of July yet they failed to alert anyone outside the organisation until a few days ago.
- The site that was created to check if you had been affected by the breach had several notable failures: It was vulnerable to exploit itself; It had several security vulnerabilities in the application – the PIN that was generated for use was not randomised, it was based on the timestamp of the request; It was not immediately obvious that it was a genuine Equifax site and appeared to be a scam; It was returning random results in relation to whether or not you were affected by the breach.
- When customers signed up to the “1 year free” credit checking service offered by Equifax, they waived their right to sue the organisation and instead were forced to use arbitration rather than litigation.
- Their call centres were ill-equipped to deal with the volume of calls and they were using the excuse that Hurricane Irma was to blame for the long call wait, one user had 9 disconnected calls and then a 23 minute wait before being able to speak to an operator.
Equifax have since rectified some of the most glaring issues, but have yet to provide an adequate response as to how the incident occurred and what steps to mitigate these risks have been introduced.
This breach is estimated to affect up to 44M British citizens, people that are protected by the Data Protection Act. Had this breach occurred post May 2018, Equifax could face a fine of €20M or 4% of their annual global turnover (whichever is higher). It is high time that organisations such as this take responsibility, and culpability, for the security of the information held on their users. The General Data Protection Regulations which will be enforced in May of next year will go some way to providing punitive measures that are appropriate but whether it will actually stop insecure data practices is yet to be seen.