While we thought the UK fine for Equifax was the last word on the topic for 2018, the US House of Representatives Committee on Oversight and Government Reform released its report into the 2017 Equifax data breach on which we have written before here, and concluded that:
“Equifax failed to fully appreciate and mitigate its cyber security risks. Had the company taken action to address its observable security issues prior to the cyber-attack, the data breach could have been prevented”.
This damning report finds that the breach was entirely preventable. It also made some key points which are salient for others who hold large volumes of sensitive data.
The US House of Representatives took the view that entities who hold large amounts of sensitive personal data are a high value target for cyber criminals and consequently have a heightened responsibility to protect that data by providing best in class data security. That means that whatever the size of the organisation, it needs to implement an adequate security program to protect that data.
In terms of dealing with patches for known vulnerabilities, Equifax did not fully patch its systems. One of the findings of the review was that attackers who gained access sent 9,000 queries to 48 separate databases successfully locating personal information 265 times and managed to exfiltrate data without Equifax knowing. One of the reasons the attackers were successful was because Equifax had an expired security certificate for 19 months. It was when the expired certificate was updated that the suspicious traffic was noticed.
The report was found that Equifax had allowed over 300 security certificates to expire including 79 that related to the monitoring of business critical domains.
The review noted the complexity of the IT environment due to an aggressive growth strategy over a 12 year period meant that there were multiple legacy systems operating alongside one another and the failure to ensure that the investment in security for those systems was sufficient. Equifax failed to implement an adequate security program to deal with this complexity.
The review also pointed to a lack of accountability and no clear lines of authority within Equifax’s IT management and reporting structure which allowed a gap in reporting so that the attack was not dealt with properly.
Finally, once Equifax had engaged with a cyber security firm to conduct the forensic investigation and announced the breach to the public, knowing that 143 million consumers had been affected, the dedicated breach website and call centre it had prepared were immediately overwhelmed and unable to give consumers timely information.
The report highlights once again that failing to prepare is preparing to fail.
The team at Holding Redlich can assist you to prepare for such eventualities, but putting in place strategies to mitigate risk and preparing to respond to breaches when they occur.
Author: Lyn Nicholson
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Dan Pearce, Partner
T: +61 3 9321 9840
Trent Taylor, Partner
T: +61 7 3135 0668
Andrew Hynd, Partner
T: +61 7 3135 0642
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.
Published by Lyn Nicholson