9 InfoSec Lessons from the Equifax Data Breach

On September 7, 2017, Equifax announced that they were victimized by a data exfiltration attack, and that the attackers compromised over 145 million records of US consumers. Millions of other records on British and Canadian citizens were also compromised. It was the largest data breach of 2017 and remains one of the ten largest breaches to date.

Breaches involving credit cards can be devastating, but credit cards have a finite life. If a card, or even large amounts of cards, are known to have been breached, closing the account(s) will put an end to things.

However, what makes the impact of the Equifax breach particularly devastating is that much of the information breached has a very long shelf life. Personal information such as a person’s name, date of birth, social security number, email address, and more can be exploited for decades after a breach.

During my recent webinar, Applying Vulnerability Management Lessons from the Equifax breach to Improve Your Security in 2019 (which you can now watch on-demand here), I discussed the Equifax breach and some of the issues which led to it. While the information security failures at Equifax were many, here are the 9 fundamental errors and oversights which paved the way for this calamitous breach:

1. Ineffective security strategy and infrastructure
2. Poor patch management
3. Lack of a certificate management program
4. Poor breach notification preparation
5. Legacy systems with severe security problems
6. Ineffective IT management structure
7. Poor information security policies
8. Lack of a software inventory
9. Lack of PCI compliance for a critical application

If Equifax had simply implemented and consistently executed an effective patch management policy, the 2017 data breach would have been prevented. Their failure to patch a known critical vulnerability in Apache Struts left a key critical system at risk for 145 days. That is nearly 5 months during which time cyber attackers enjoyed free reign across one of the largest databases of consumer data on the planet.

Equifax spent over $300 million to recover from the breach, of which insurance only covered about $75 million. Had Equifax invested some of that money into better information security (vulnerability management, etc.), they would not be the poster child for bad data security.

The heart of Equifax’s failure was that they fundamentally neglected to implement an adequate information governance program to protect their sensitive data. The lesson every organization can take from Equifax is that the breach was entirely preventable.

Only when enterprises take information security seriously, and have a CISO who is empowered with staff and a budget, can they reasonably expect to avoid the same fate as Equifax. Otherwise, expect a manifestation of what Gene Spafford, professor of computer science Purdue University, has coined Spaf’s Law, which holds that “if your position in an organization includes responsibility for security, but does not include corresponding authority, then your role in the organization is to take the blame when something happens.”

For a deeper dive into the Equifax breach and hard lessons learned, watch my on-demand webinar.