Equifax: What went wrong?
Article by Lucy Hook – Insurance Business Magazine
16 October 2017
It’s not been a great few months for US credit-reporting giant Equifax.
Early last week, the company admitted that while it had initially reported that nearly 400,000 UK customers had their data stolen during a huge breach between May and July this year, the number was in fact closer to 694,000.
Then, the firm was hit with more bad news, revealing that a third-party vendor it uses to collect performance data on its US website was “serving malicious content.”
But what went wrong for the beleaguered firm, and what can companies do when it comes to ensuring the security of third-party vendors? Insurance Business asked cyber security experts ITC Secure Networking.
“The real-world answer is triage,” director of cyber risk, Gareth Lindahl-Wise, said of the need to assess third-parties.
“Are they critical to your business and/or do they interact with sensitive information; be that commercially sensitive or regulated information such as DPA (soon to be GDPR) or market sensitive information? If so, make sure you understand the business processes and information flows as a first point, then determine if their security controls are appropriate to your risks,” he advised.
As for Equifax’s major data breach, which saw the personal details of 146 million US customers and 8,000 Canadians stolen, Lindahl-Wise pointed out several key ‘strikes’ that could be attributed to the event.
“The initial compromise appears to have come from a publicised vulnerability,” he said. “Exploit date to exploitation seems to have been about two to three months. Many organisations would struggle to respond in those timescales, but Equifax should have understood the potential impact and expedited this patch, or put in mitigating controls. They know their client data, they know the impact,” the director said.
Equifax’s initial communications were not particularly informative, and the company’s “downward spiral” started when it used an “easily spoofed website” to issue advice to customers, he said.
“That was then spoofed, and their own internal teams forwarded the ‘fake’ sites info on Twitter,” he explained. “In the UK, impacted users were advised of the increased scope of UK impact by the NCSC before Equifax. Not cool.”
In terms of the long-term effect on the company, time will tell, according to the director.
“There is some chatter about recent US Government engagements being put on hold,” he said. “The bigger question in my mind is undermining the role of credit reference agencies helping ordinary citizens in understanding their credit ratings and identifying potential fraud. We need this, but we need this to be secure!”