ITsecurity
twitter facebook rss

The Equifax breach beggars belief

Posted by on September 17, 2017.

The art of spin is to make bad news look like good news. Well, good luck to Equifax in spinning its way out of the loss of 143 million credit records in America.

Equifax UK, however, is having a stab at it. With classic timing it released its statement late on Friday — I received it by email at 7:25 pm. Bear in mind that 400,000 UK residents are affected. The statement says:

The information was restricted to: Name, date of birth, email address and a telephone number and Equifax can confirm that the data does not include any residential address information, password information or financial data. Having concluded the initial assessment Equifax has established that it is likely to need to contact fewer than 400,000 UK consumers… Due to the nature of the information Equifax believes identity takeover is unlikely for the UK consumers who had their data potentially accessed in this incident.

Strictly speaking, this is true. The 400,000 UK customers are not likely to have their identities stolen solely through this breach — but there is serious threat from subsequent targeted phishing, using this stolen personal information, that could lead to bank fraud and identity theft. Strangely, there is no mention of this follow-on threat in the Equifax statement.

The NCSC statement is far more realistic:

The main risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages. Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as:

‘To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number’.

We still do not definitively know how the breach was effected. It does seem, however, that an Apache Struts flaw was exploited. The flaw was disclosed and fixed in March 2017. According to Equifax, the hackers had access between mid-May and late July — meaning that a critical flaw was left unpatched for around 2 months before the hackers exploited it. Equifax learned of the breach on 29 July — meaning it took them five weeks to tell their customers that personal information had been stolen.

Neither of these delays is acceptable. Now, the CIO is a position created by the CEO to act as a scapegoat should anything go wrong in the increasingly complex IT infrastructure. Similarly, the CSO is a position created by the CIO to act as a scapegoat should anything go wrong in the increasingly complex information security environment. It is only right and proper, then, that both of these officers had their scapes goated on Friday — we’re told they ‘retired’, so they fell on their own swords rather than had them plunged in by the CEO.

It’s still not good enough. I shall expect to see the CEO also go as soon as possible. I also expect the various regulatory bodies currently investigating the breach to come down very heavily on the company. However hard that is, Equifax can feel lucky that the breach happened now rather than next year. After May 2018, it would be liable to GDPR sanctions in the EU and a new Data Protection Act in the UK — both of which could, in theory, levy fines of very many millions of dollars.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions |