Equifax: A teaching opportunity

Equifax did just about everything wrong. Here's what's going to happen because of it.

lock circuit board bullet hole computer security breach

The dust hasn’t settled and the lawsuits are just getting filed, but already there is a wealth of learning opportunity from the Equifax debacle.

To start with, every security professional knows that you will be breached eventually, so you really, really need a good response plan.  Hopefully you have exercised your plan and everyone knows exactly what to do when the breach happens.  We all learned that from the Target and Home Depot breaches, right?

If you want to know what constitutes a good response plan, just look at what Equifax did and do the exact opposite.

I don’t know how Equifax could have screwed this up any more than they did.  It is truly a feat to behold. 

First, they knew about the breach on July 29th, but didn’t tell anyone until 6 weeks later.  6 weeks! 

Second, days before they did announce the breach, three executives dumped their personal stock.  Isn’t there some law against that?  Oh yeah…there is, and the SEC is looking into it.  As though that wasn’t enough, when this news broke, Equifax commented that the people that dumped the stock didn’t know about the breach.  Uh..what?  So Equifax is claiming that John Gamble, the CFO, Rodolfo Ploder, president of workforce solutions, Joseph Loughran, president for U.S. information solutions, didn’t know about the largest beach in world history even though the rest of the company knew about it for 6 weeks?  Personally, I think when the SEC is done here, someone is going to jail.

Third, Equifax sets up a website where people can find out if their information was breached.  Unfortunately, they set up the website using WordPress, the most vulnerability ridden software still on the market.  Yeah…that makes sense. 

Fourth, the site that they put up has (or at least had) an improper SSL certificate so that most people got a security warning, and sites like openSSL won’t even connect to the Equifax site. As of today, 9/11, when I checked the site it still shows as using SHA1 as a hashing algorithm. 

Fifth, if you do get to the site, it asks you for the last 6 digits of your social security number and your name.  Wait…you just breached my info and you want me to give you all but 3 digits of my personal info…on a vulnerability ridden site with an insecure SSL certificate.  Oh yeah!  Why don’t I just enter all of my passwords while I’m at it and you can see if they are good too?

Sixth, Equifax offers credit protection for anyone involved in the breach.  Wait…isn’t that a legal requirement in many states?  Yep.  It is!  They are offering what they need to offer by law anyway.

Seventh, the credit monitoring they are offering is their own.  Again, how does this work?  They breached my data and now they want me to trust them to monitor my credit?  Fool me once, shame on you.  Fool me twice, shame on me.  Something tells me the FTC will be weighing in on this one soon.

Eighth, If you do opt for credit monitoring, you need to agree to binding arbitration in lieu of any other legal recourse.  In other words, you give up many of your legal rights.  Sure.  Why not?  Of course, today Equifax is “refining the terms of agreement” after a huge uproar from the consumers.

Ninth, rather than take responsibility, they are blaming it all on open source software.  Hello, Equifax!  Even if you used open source software, you are still responsible for the event!

Every day when I open the news there is yet another example of how Equifax has absolutely screwed up their response to this beach.  If there is a communication officer at Equifax, they are remaining conspicuously silent, and probably should.  If I were the communications officer for Equifax, I would resign and remove it from my resume. (I’d probably do the same if I were part of their security team.)

Why is this breach worse than any other breach in history?

First, the scope of this breach is massive.  People throw around the 147 Million number, but let’s put that in perspective.  According to the last census, there are ~323 Million people in the United States, but that includes everyone.  Only 63.3% are actively employed.  Also, 16.3% are under the age of 18.  If we start to narrow that down, it becomes apparent that Equifax revealed the personal data of just about every American that has credit.

Second, the information that was revealed is static and can’t be changed.  When Target was breached, you just changed your password (and everywhere you used the same password if you were foolish enough to reuse it).  That was it.  But with this breach, Social Security Numbers, birthdays, Drivers license numbers, and (I think) past addresses were revealed.  We can’t change those, and now that they are out, they are useless to be used for identification.

What does the future hold?

Personally, I don’t think Equifax can withstand this.  I don’t think anyone will trust them with personal information again.  Like Enron, they will die and be no more. 

Identification of individuals will change.  The security industry will need to figure out a new way to identify someone.  Asking for a combination of Driver’s License, SSN, and past addresses is no longer a viable identification means.  Things will have to change.

Recent studies show that 3 out of 5 small and medium businesses that suffer a security breach go out of business.  I think we are about to see that large businesses are no less susceptible. 

As of now, the saga continues…

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)