Equifax Breach: Warn Customers, Learn LessonsEquifax Breach: Warn Customers, Learn Lessons

Equifax on Thursday acknowledged a massive data breach in which attackers stole personal data on 143 million Americans, including names, Social Security and credit card numbers, birthdates and addresses.

And this story isn’t over. Bloomberg reports that days after Equifax discovered the breach, senior executives sold nearly $2 million in stock, then waited weeks to notify the public. Lawmakers have renewed calls for not only a uniform data breach notification standard, but also whether Congress needs to consider preventing companies from holding large sets of highly sensitive data.

451 Research’s Scott Crawford

Scott Crawford, research director for information security at 451 Research, tells Channel Partners the magnitude of the breach is staggering.

“U.S. Sen. Mark Warner characterized it well: ‘The Social Security numbers, birthdates, addresses and credit card numbers of nearly half the U.S. population,'” he said. “This makes it one of the worst ever. The collection of this depth and this volume of some of the most sensitive personal information by one of the three or four major organizations in this business makes these entities a prime target, so it’s not likely to be the last, either.”

When a small number of companies maintain control over collection and access to the sort of information gathered and marketed by the credit reporting organizations, consumers are left nearly powerless, Crawford said.

“Most are simply forced to accept as a necessity the need to have a credit history with these organizations in order to gain access to the consumer economy,” he said. “Where I would point the finger is at the appalling lack of public policy for the protection of consumer data in the United States in this industry. This is not the first breach of a credit reporting organization, nor will it likely be the last, but it is one of the worst ever. When access to this information may be controlled by no more than a PIN, there is clearly a lack of acknowledgement among these companies of just how valuable a target this information is.”

Chester Wisniewski, principal research scientist at Sophos, said the breach is another reminder that information that isn’t properly protected will be stolen. Whether it is in the cloud, on a thumb drive or on a mobile device, unprotected data is valuable to criminals. What’s worse is that the bulk of the information, such as Social Security numbers, birthdays, addresses and other personal details, is far more valuable than the stolen credit card information, he said.

“Partners need to take several steps as news of the massive Equifax data breach unfolds,” said Erin Malone, Sophos’ vice president of sales in North America and Partner Advisory Council leader. “Firstly, partners need to evaluate their customer base – do any customers collect data through web applications or require their (customers) to submit sensitive personally identifiable information (PII) to complete a transaction? Partners should immediately …

… check in with these customers to determine their current state of security and develop an immediate action plan to ensure data is protected at all levels.”

Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data, said Kenneth Geers, senior research scientist at Comodo. Even if you are not a customer, Equifax likely has a lot of data about you, and you should take proactive steps in response to this hack, he said.

“On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action,” he said. “The fact that the Trustedid.com site isn’t yet working means that Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”

Comodo and other cybersecurity vendors exist to help with investigating and remediating issues like this, so the need for these services may increase as this breach makes headlines and companies become more aware of potential vulnerabilities they may also be facing, Geers said.

There certainly should be an opportunity for the channel to do more to help businesses and organizations safeguard against breaches, “given the scale and potential risk of these organizations and this information as a target,” Crawford said.

“But that may not materialize until (businesses and organizations) either recognize, or are forced to recognize, that their responsibility should be proportionate to the profits they realize from this data,” he said.

In his blog, Kevin Lancaster, CEO of ID Agent, said one particularly frightening aspect of the breach is that the exact date it occurred and who executed it is still unknown.

“Tactical tools and motivation are the first things that organizations look at when they suffer a compromise,” he said. “The first step upon hack is to look at potentially vulnerable systems that haven’t been patched and look at individuals who have access and can social engineer or collude with individuals on the inside. Given the volume of data, we can only speculate that there was some type of insider involvement here.”

Equifax has established a website where U.S. consumers can find out whether their information may have been breached and sign up for identity theft protection and credit monitoring across not just Equifax, but Experian and TransUnion, as well as other protections, free for one year.

“The information has been in the hands of criminals for more than six weeks already, so time is not on your side,” Wisniewski said. “While the monitoring is often of little value, it is worth signing up for.”