NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

9 InfoSec Lessons from the Equifax Data Breach

February 4, 2019

  • Blog
  • Archive

On September 7, 2017, Equifax announced that they were victimized by a data exfiltration attack, and that the attackers compromised over 145 million records of US consumers. Millions of other records on British and Canadian citizens were also compromised. It was the largest data breach of 2017 and remains one of the ten largest breaches to date.

Breaches involving credit cards can be devastating, but credit cards have a finite life. If a card, or even large amounts of cards, are known to have been breached, closing the account(s) will put an end to things.

However, what makes the impact of the Equifax breach particularly devastating is that much of the information breached has a very long shelf life. Personal information such as a person’s name, date of birth, social security number, email address, and more can be exploited for decades after a breach.

During my recent webinar, Applying Vulnerability Management Lessons from the Equifax breach to Improve Your Security in 2019 (which you can now watch on-demand here), I discussed the Equifax breach and some of the issues which led to it. While the information security failures at Equifax were many, here are the 9 fundamental errors and oversights which paved the way for this calamitous breach:

  1. Ineffective security strategy and infrastructure
  2. Poor patch management
  3. Lack of a certificate management program
  4. Poor breach notification preparation
  5. Legacy systems with severe security problems
  6. Ineffective IT management structure
  7. Poor information security policies
  8. Lack of a software inventory
  9. Lack of PCI compliance for a critical application

If Equifax had simply implemented and consistently executed an effective patch management policy, the 2017 data breach would have been prevented. Their failure to patch a known critical vulnerability in Apache Struts left a key critical system at risk for 145 days. That is nearly 5 months during which time cyber attackers enjoyed free reign across one of the largest databases of consumer data on the planet.

Equifax spent over $300 million to recover from the breach, of which insurance only covered about $75 million. Had Equifax invested some of that money into better information security (vulnerability management, etc.), they would not be the poster child for bad data security.

The heart of Equifax’s failure was that they fundamentally neglected to implement an adequate information governance program to protect their sensitive data. The lesson every organization can take from Equifax is that the breach was entirely preventable.

Only when enterprises take information security seriously, and have a CISO who is empowered with staff and a budget, can they reasonably expect to avoid the same fate as Equifax. Otherwise, expect a manifestation of what Gene Spafford, professor of computer science Purdue University, has coined Spaf’s Law, which holds that “if your position in an organization includes responsibility for security, but does not include corresponding authority, then your role in the organization is to take the blame when something happens.”

For a deeper dive into the Equifax breach and hard lessons learned, watch my on-demand webinar.

Photograph of Ben Rothke

Ben Rothke, Senior Security Consultant, Nettitude

Ben Rothke (@benrothke) is a senior security consultant with Nettitude and has over 15 years of industry experience in information systems security and privacy. His career incorporates a successful track record across corporate and consulting roles, securing IT assets for numerous Fortune 1000 companies.

He is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill) and a speaker at industry conferences, such as RSA and MISTI, and holds numerous industry certifications.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.