Equifax: A Cautionary Tale
A captain never believes his ship will founder. If he did, he’d probably never set sail. But occasionally ships, just like businesses, hit unforeseen obstacles and, yes, sometimes they even sink to unimaginable depths.
In a crisis, it’s hard to predict how people will react. The business, like the captain, hires competent experts to deal with any circumstance, but when revenues, careers and the business itself is on the line, some keep a cool head while others may not.
So, rather than dismiss the Equifax incident as something that “could never happen to us,” know that it absolutely could. The only way to avoid a devastating breach is through a meticulous prevention strategy and a strong security posture. Once the iceberg’s been hit, the response by employees, investors and even executives will surprise you.
Here’s a breakdown of what happened to one of the largest credit agencies on the planet.
THE BREACH
On March 8, 2017, U.S. CERT sent Equifax and many others a notice of the need to patch a particular vulnerability in “Apache Struts.” Despite this notification and a 48-hour patching protocol at the company, the vulnerable version of Apache Struts within Equifax was not identified or patched.
On July 29, Equifax’s security department observes suspicious network traffic associated with the consumer dispute website and takes the web application completely offline the following day.
The company then embarked on an extensive internal investigation to figure out what happened, what parts of the Equifax network were affected, how many consumers were affected, and what types of information was accessed or potentially acquired by the hackers.
On September 7, 2017 — six months after the patch notification and almost six weeks after realizing they’d been breached — Equifax announced that the personal data of over 143 million people — including their names, addresses, birth dates, as well as their Social Security, driver’s license and credit card numbers — was compromised.
NEVER-ENDING ISSUES
Since the breach, Equifax has been harshly criticized for a number of missteps.
First, the company waited several weeks to announce the breach. Many experts feel that once it did make the breach public, it didn’t provide adequate consumer information. At one point, it even forced potential victims to waive their right to litigation (later retracted) if they wanted to find out whether their data was exposed.
Via Twitter, the company’s communications team directed customers to a site that would allow them to learn if their personal information had been breached. But they got the URL wrong and actually sent consumers to a fake phishing version of the actual site. This was followed by reports that an app used by the company’s Argentine offices could be accessed using “admin” as the username and password.
These egregious blunders aside, it’s important to understand that clumsy mistakes are surprisingly common. In times of crisis, reason and good judgment are often the first things to go. And while some employees can be counted on to implement an effective crisis plan, others may act in unforeseen ways. It would be wise not to dismiss the possibility of this happening to your organization.
EQUIFAX STOCK CRASHES
Before the breach was announced, Equifax’s stock closed at $142.72. The day after, the stock closed at $123.23 for a loss of 13.6%. Seven days later, it closed at $92.98 for a total loss of 35%. Two weeks after the announcement, the stock had rebounded off its lows, but at $105 remained down 26%. It again closed under $106 the following week, suggesting its trading range in the near-to-medium term will hover around 25% below price levels before the announcement. This represents a market cap loss of approximately $4.3 billion for the company, from $17.18 billion to $12.9 billion.
A Centrify-commissioned Ponemon study found that stock prices are historically impacted by security breaches, but rarely to this degree. Typically, stock prices fall by an average of 5% immediately following the announcement of a breach. From there, price action is directly linked to the security posture of the organization. Those with a stronger security posture will rebound more fully and more rapidly than those without.
While it’s clear that the Equifax security posture was relatively weak, it seems as though the market is punishing the company more severely than it has others. That could be due to the company’s focus on consumer credit ratings, to the series of missteps after the breach, or it could be indicative of a larger trend — that investors are growing less tolerant of companies that don’t take security and the protection of their customer data seriously enough.
EXECUTIVE DEPARTURES
Days after the breach was made public, Equifax announced that two senior executives — Chief Information Officer Dave Webb and Chief Security Officer Susan Mauldin — would be exiting the company effective immediately. Not long after, the company announced the additional departure of CEO Richard Smith after a 12-year tenure.
The recent trend towards holding upper management responsible for cyber risks suggests that Equifax should anticipate a number of lawsuits filed against these and perhaps other Equifax executives. After the Target breach forced the ouster of CEO Gregg Steinhafel, at least seven directors and officers found themselves in legal battles.
While we’re unaware of any court decisions in favor of the plaintiffs against specific company executives thus far, the extraordinary circumstances surrounding this incident could make it the first, setting a new legal precedent that could be a game changer. Whether or not such lawsuits prevail, the headaches for senior executives will certainly continue for years to come.
ANOTHER 2.4 MILLION
On March 1, 2018, Equifax disclosed that an additional 2.4 million customers were impacted by the breach, bringing the total to about 148 million people. According to the company, these newly-identified customers were found through ongoing analysis of the breach, looking for consumers whose partial driver’s license information was taken.
“Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.”
LAWSUITS AND THE SPECTER OF FEDERAL FINES
Executives may or may not find themselves embroiled in lawsuits, but it’s clear that Equifax will spend a significant amount of time and money defending itself in the years to come.
Last year, the Consumer Financial Protection Bureau ordered Equifax to pay millions in fines and restitution for allegedly misleading customers about their credit score services, reminding us of the possibility that federal fines could be added to Equifax’s long list of problems. Experts have suggested that, at the very least, the FTC will take a more aggressive and proactive stance against the company which may result in fines and ultimately lead to new cybersecurity legislation.
While financial analysts are split on whether Equifax will remain solvent or is destined for bankruptcy, Gartner IT analyst John Wheeler predicted in a blog that, “Equifax will ultimately be acquired out of bankruptcy by one of the remaining two credit reporting companies — TransUnion or Experian.”
According to a recent Gartner blog:
“When considering an estimate of the potential costs associated with the databreach (based on the 2017 IBM/Ponemon Institute Cost of Data Breach Study), Equifax faces a potential loss of $20.2 billion which currently exceeds their total market value by $8.3 billion. Also, the company currently faces more than 23 class-action lawsuits, with at least one seeking more than $70 billion in damages.”
ALL ROADS LEAD TO IDENTITY
In this day and age, instructing organizations to implement basic security policies and then adhere to them is so fundamental, it almost seems insulting. But it must be stated. And even though telecom giant Verizon contends that 10 times more breaches can be attributed to identity than to vulnerability exploits, organizations must still make installing patches and updates a top priority.
What’s more, new zero-day vulnerabilities will always provide an effective mechanism for entry. And with so many cloud apps, remote workers, mobile devices, and IoT appliances providing pathways into a business, the traditional perimeter will only become harder and harder to secure. That’s why companies continually fall victim to cyber thieves — even though they currently spend over $80 billion a year on security.
While identity doesn’t seem to have played a role in the initial entry into the Equifax environment, it may have been instrumental in the actual pilfering of consumer data. The initial breach is often just a method of gaining a foothold in the organization. Once inside, malware can then be installed to capture credentials and use them to gain access to the most valuable information.
LIMITING BREACHES WITH ZERO TRUST
There is a groundswell of interest right now in a security concept called Zero Trust, which requires a complete rethink of cybersecurity.
As traditional network perimeters dissolve, organizations must discard the old model of “trust, but verify” which relied on well-defined boundaries. Instead, organizations must strengthen security by implementing a “never trust, always verify” approach for everything — including users, endpoints, networks, servers and applications.
Zero Trust assumes that untrusted actors already exist both inside and outside the network. Trust must therefore be entirely removed from the equation. Centrify Zero Trust Security presumes that users and endpoints are not trustworthy, and verifies every user, validates their devices, and limits access and privilege. Centrify also utilizes machine learning to discover risky user behavior and apply conditional access — without impacting user experience.
ZERO TRUST SECURITY WITH NEXT-GEN ACCESS
Organizations can start the journey to Zero Trust Security through a number of mature and proven approaches that unify single sign-on (SSO), multi-factor authentication (MFA), mobility management, privilege management and behavior analytics.
Traditional Identity and Access Management (IAM) solutions cannot holistically address today’s growing threat landscape. By combining and implementing Next-Gen Access solutions, organizations will be protected through Identity-as-a-Service (IDaaS), enterprise mobility management (EMM) and privileged access management (PAM).
Only Centrify’s Next-Gen Access delivers an industry-recognized solution that uniquely converges IDaaS, EMM and PAM. This seamless integration secures access across applications, endpoints and infrastructure for all users, without sacrificing best-of-breed features.
ADVICE FOR CONSUMERS
Consumers should take swift action to limit the impact of any breach, beginning with the assumption that their data was compromised. While Equifax allowed consumers to visit its site to determine if they were impacted, these results may not have been entirely accurate as the breach was under ongoing investigation. Hopefully all consumers enrolled in the free credit monitoring offered by Equifax.
While these services won’t directly prevent identity theft, they will alert consumers to changes in credit score, newly opened accounts, large transactions and suspicious account activity. Consumers may also want to block potential creditors and others from viewing or modifying their credit history temporarily freeze their credit. Such freezes prevent the establishment of new accounts, and were also offered by Equifax at no cost.
As an alternative to a credit freeze, consumers may set a fraud alert with any of the major credit bureaus, requiring identity verification before any new credit is issued. Unlike freezes, fraud alerts need only be set with one credit bureau, which is then required to notify the others. Note, however, the alert must be renewed every 90 days. Alerts are less restrictive than freezes and may be a good alternative for consumers looking to open new credit accounts, or to buy a new home or automobile.
Lastly, consumers should monitor accounts on a regular basis, use multi-factor authentication whenever possible and request a free credit report annually, which will show all credit inquiries that have occurred and new accounts that have been opened.
For more information on how Centrify can secure your organization with Zero Trust Security through the power of Next-Gen Access, visit https://www.centrify.com.
