Equifax Data Breach – Hacking Horror Stories Vol.2
Imagine you’re having one of those nightmares, where you’re out in public and there’s a huge, gaping hole in your trousers. You think to yourself “ah it’ll be alright, no one will notice it, only I know it’s there.” Then, a friend comes along and says, “hey man, you’ve got a seriously big hole in your pants, you might want to sort that out.” You’re mortified but you’re being chased by an evil monster, so you run to your office to hide. When you arrive, your boss is stood in fits of laughter screaming “oh my god, the size of that hole, you can see everything!” but because you haven’t checked this properly, you assume it’s okay and carry on running. It’s not until you run out of the building and turn around that you realize your boss, your friend, and the whole world is pointing and laughing at you. All because you’ve got this great big exposed hole in your pants, and you’ve lost all your credit cards, phone numbers and ID.
Sounds brutal right? Well that’s basically what happened to Equifax, except it couldn’t wake up from this nightmare.
Equifax Data Breach
Nothing screams spine-chilling like one of the ‘Big Three’ largest consumer credit reporting agencies, trusted by over 800 million consumers and 88 million businesses worldwide, being viciously hacked in a huge data breach exploiting millions of its customers.
Equifax became vulnerable to this attack after failing to patch up an exploitable hole (CVE-2017-6538) in their Apache Struts 2 framework. Homeland security even made the credit-reporting giant aware that their IT infrastructure was insecure. However, due to insufficient security and auditing processes, the system was eventually hacked from May 13th – July 20th, 2017. The American division initially recognized the hit later in July, and in August 2017 the UK was hit too.
The scale of this data breach and the Equifax hackers managed to exfiltrate:
- 146.6 million people’s data
- 99 million addresses
- 209,000 payment cards
- 38,000 driver’s licenses
- 3,200 passports
It was also reported by The Register that the hackers exploited a sizeable portion of the data from a file which was utilized by the Equifax fraud investigations team. This folder was accessible by the SysAdmin and IT staff, and therefore also by the hackers.
UK Equifax eventually came clean to the ICO admitting to just below 400,000 Brits being affected by this data breach. It later emerged that their original estimations were almost laughably low though – the true number of affected UK citizens was around 15 million.
Consequently, the ICO punished Equifax with a somewhat hefty fine of £500,000 ($660K), which is the highest possible monetary penalty under the UK’s old data protection act. To be specific, this is a paltry 3p for every person whose data was affected. Equifax got lucky with the breach timeline; if this breach had taken place after the GDPR compliance deadline (May 25, 2018), they would have been subject to a more fitting fine of around $136M (4% of their total global revenue of $3.4 billion).
There are wider implications for global companies who experience a data breach. For one, the ICO is not the only governing body that can hand out fines. As Equifax’s data breach has affected people all over the globe, other governments will likely watch to see if the ICO receives its fine (Equifax can appeal). If Equifax pays up, then other regulators may also fine Equifax in a similar fashion. As you can imagine, this means that the fines they receive for this breach could continue to grow.
Another implication Equifax is likely to encounter is the impact on their insurance. Large corporations often have cyber security insurance, as many of these premiums are based on risk, then this is likely to incur a huge increase.
This breach also had a wasteful impact on the company’s resources because the company needed to uncover the severity of the breach. By doing so they had to assign their IT department to go through and re-enact what the hackers did on test installations. Because of this, it would have cost the company a lot of time, money also slowed down a lot of their other processes.
Consequently, its somewhat measly £500k ($660K) fine is now looking a lot bigger.
How can you avoid this happening to you? This could have been mitigated by using good data and metrics to enforce compliance and policy in adherence with not only the law but internal policy and best practice.
For example, you would allocate a percentage of your security budget to a proactive and preventative security tool. These tools allow you to set policies based on actual activity, refine security configurations, and check that your permissions are appropriate. You can also use these auditing tools to collect data and make informed decisions on where to allocate the rest of your budget for optimal security measures.
Quadrotech’s Radar for Security & Audit is one of these tools. Along with the previously mentioned capabilities, it also allows you to quickly and effectively find the source of an active threat, so you can lock down affected accounts, avoid further impact, and investigate any damage.