The Equifax data breach could have been prevented
At the end of last week the headlines centered around the news that 143 million US consumers had their personal data stolen by criminals that hacked into the credit reporting firm Equifax.
There are two important dimensions to consider in this breach. First, its size, affecting roughly half of the population of the U.S. which, according to the Census Bureau in 2017, is around 324 million. It means that one in every two people in the US had their personal data stolen.
Second, the longevity of the impact. The data stolen consisted of social security numbers, dates of birth, addresses, drivers license numbers and credit card numbers. With the exception of the credit card numbers, this is long-lived data which, in some cases like the date of one’s birth or social security number, will never change. This means that those affected will have to live with their data being exposed during their entire lifetime, no matter what corrective measures are undertaken. That data can be used to steal a person’s identity to, for instance, take out fraudulent loans, or conduct social engineering attacks to gain access to existing accounts.
Despite the lack of information on how the data was stolen, the evidence points to one or more vulnerabilities in the Equifax web applications, such as their site or an API used by their partners. Nowadays, these are the most exposed parts of a company for attackers. A single SQL injection, or a remote code execution, or a local file inclusion vulnerability is enough to compromise an entire database of customer data.
Now, this is something that could have been prevented if Equifax had taken the proper measures to protect itself and its customers.
An important part of the protection spectrum should be the continuous scanning of web applications for vulnerabilities. Probely automates the detection of these vulnerabilities allowing companies, like Equifax, to increase the probability of detecting a vulnerability before it reaches the live site.
However, it would be naive to say that the Equifax breach could have been prevented if they only did web application scanning. Probely is part of the solution and it’s probably enough for a lot of companies, but in most cases additional security measures would be recommended.
