News

The 2017 Security Recap: Equifax Breach Tops Them All

The biggest security incident of the year serves as a reminder for organizations to refocus on and prioritize strong network defenses.

• By Chris Paoli
• December 01, 2017

In recent years, the rise of "hacktivist" campaigns targeting individuals and countries for more than personal financial gain has hogged the spotlight and been the main narrative when it comes to the state of cybersecurity. And while nation-sponsored cyberattacks were still relevant in 2017, especially as the United States is still investigating if and how the Russian government might have affected the 2016 presidential election, this year has been marked by more traditional attacks and breaches -- although the scale and scope have been beyond anything we've ever seen.

For those in the United States, I've got some bad news for you: If you were under the impression that, despite massive credit card, retailer and social media platform breaches of the past few years, your personal information was still safe, this year's unprecedented security headache at Equifax almost assuredly means that there's a strong chance your data is floating out in the open.

To recap, in late July, Equifax, one of the three major U.S. credit monitoring and reporting services, discovered suspicious traffic on its network that ultimately led to the personal information of 145.5 million individuals being leaked. That's almost half of the entire U.S. population.

While there have been larger breaches in the past, like the 2013 Yahoo incident that exposed almost 3 billion accounts, or the 2014 eBay security breach that saw the loss of 146 million user names and passwords, the Equifax incident could do more damage in the long run because of the type and amount of information leaked. Those names, addresses, phone numbers and Social Security numbers are everything necessary for a motivated criminal to perform identity theft.

For the general public, the lasting impact of the Equifax breach means that we all need to take a more active role in protecting our private data, whether that means online identity services, third-party credit monitoring (maybe look at services not connected to Equifax) and maintaining safe online practices, like using strong, unique passwords and avoiding phishing e-mails.

For organizations, the event could be seen as a cautionary tale for businesses to make sure their security can properly defend and respond to threats and, more important, when an issue arises, be able to apply fixes in a timely manner.

When speaking to the House Commerce and Energy Committee in early October, former Equifax CEO Richard Smith blamed the entire breach on the inability of the IT department to properly implement a patch for the Struts vulnerability -- the hole that was used in the attack and a flaw that had been known to Equifax since March.

"Equifax's efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax Web application much longer than it should have," wrote Smith in his written testimony. "I understand that Equifax's investigation into these issues is ongoing. The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information."

Whether pinning the incident on the failings of the IT staff was an opportunity for Equifax executives to shift the blame away from them, or it was the earnest truth, the implication that a major, global entity's entire security defense could crumble when a known vulnerability isn't spotted and a readily available fix isn't applied should give pause to organizations and reiterate that prevention is the key.

Speaking on the incident, Tim Erlin, vice president of strategy at security firm Tripwire Inc., said the lesson is to put a comprehensive defensive plan in place and to be constantly vigilant about it.

"The best time to develop a response plan for a breach is well before one occurs," said Erlin. "Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans. All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches."

While the Equifax security incident this year really didn't teach us anything new, aside from the fact that you should be keeping an eye on your credit activity, it should act as a wake-up call for those organizations that might have slipped into a state of apathy when it comes to network defenses. Taking an active approach in your security defense now could save your business time and money in the long run.