Reuters is reporting that credit-reporting company Equifax Inc will pay up to a record $650 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information, authorities said on Monday. The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Board and nearly all state attorneys general.
BREAKING: Equifax will pay $700 million to settle 2017 data breach that exposed private information of nearly 150 million people. https://t.co/bJ7qIt2q62
— The Associated Press (@AP) July 22, 2019
The Equifax 2017 breach was articulated as a ‘failure to patch’ but the reality is the security failures were far more broad. Poor IT governance, vulnerability discovery, application architecture, identity and privileged access management and other factors led to 147 million consumers’ highly sensitive records being exfiltrated. Because the company was not practicing continuous monitoring of its IT environment combined with a failure to validate security controls on an ongoing basis, hackers had access to its system for 76 days without detection. While part of the settlement requires Equifax to make changes to its business practice to strengthen security, simply investing in more cybersecurity tools is useless unless they can be sure that those tools are effective. Case in point, Equifax shared that between 2014-2017, they spent $250 million on cybersecurity investments—yet still suffered one of the worst data breaches of all time.
The cost to validate security controls is noncomparable to the cost of a data breach, including fines under GDPR, the cost of cleanup and incident response, the cost of reparations for customers exposed, and litigations that could very well be in the hundreds of millions. Last week British Airways was fined $230 million showing that EU data watchdogs are cracking down on organizations that have exposed EU citizens’ data. To avoid similar repercussions, organizations must continuously test the efficacy of their security controls to ensure they are working as expected and must continuously analyze the security of their environments to identify and remediate weaknesses. The threat landscape is evolving constantly and as companies make changes to their IT environments, they can be secure one day and extremely vulnerable the next.
Even though Equifax’s breach is largely due to the company’s failure to remediate the gap in Apache Struts, the attackers were successful in siphoning 147 million Americans’ sensitive personally identifiable information (PII) due to Equifax’s lack of data governance. Equifax failed to set risk-based limits on access to important information such as usernames and passwords, therefore allowing the hackers to run around 9,000 total queries to find PII data sources on its network.
To avoid a similar fate – and huge $700 million fine – organizations must adopt an identity-centered, Zero Trust security program. If every action made by the attackers prompted authorization and authentication, the consumers’ data would not have been so quickly stolen off the company’s network. In a Zero Trust model, authentication and authorization is necessary to leverage more information about the context of the event. Organizations can no longer be reliant on simple username and password authentication as these credentials can easily fall into the wrong hands.
The past two weeks’ stiff penalties for data security and privacy mishaps here in the US and across the pond, signal a sea change in how companies across the world must handle the consumer data they amass and distribute. Unfortunately, the missteps that led to the breaches reflect widespread poor data governance and digital asset security. These breaches are avoidable, however, with an effective security strategy that addresses the risks inherent in the digital environment. Knowing who runs what code on your websites and mobile apps—yet lies outside your IT perimeter–is a crucial first step in controlling those risks. After all, you can’t control who and what you don’t know.
I’m far from an Equifax apologist, but the truth is it could have been anyone. It’s not an excuse, but rather the reality we live in. The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it’s got to be from the ground up too. There’s no silver bullet. There’s no one thing that mitigates the exposure. A multi-layered, multi-faceted approach is critical to making the juice not worth the squeeze for bad actors looking to score quickly and easily.
We’ll see more and more regulators to “bring the hammer down” and levy some of the largest fines ever seen to raise the sense of urgency on businesses to protect their client sensitive information. This time it’s FTC, next could be European GDPR, then upcoming California Consumer Privacy Act, and then many other privacy regulators worldwide.
European GDPR has a fine of up to 4% of global revenues while FTC seems headed towards much heftier fines with about ~9% on Facebook and ~25% on Equifax. This sets a new precedent and a wake-up call to all businesses to be extremely careful..
However, many businesses are still not doing enough to protect their client sensitive information. They do not realize that internet and cloud services are not bullet-proof. They assume that their information is safe with service providers. But a simple misconfiguration, a bug or abuse of API could cause major exposure and havoc.
Businesses should assume that their digital data would be leaked in some capacity. They should ensure appropriate measures are always in place to keep the data always protected whether it’s at rest or in use – a stitch in time saves nine. Data breaches cause major financial losses and sometimes businesses never recover from it due to stiff penalties, post-breach notification cost, forensics costs, and reputation damage.
It’s hard to regain user trust unless the company makes tenfold investment to change their culture and approach to user data protection and, deliver on their promises after such public punishment. Their business cannot afford to have another occurrence. They need to think proactively about different ways their platform can be abused and user content can be breached.
Data is becoming an important currency, business opportunity and reliance on data are increasing, and so is the exponential rise in data growth. However, storing personal information collected from end users is a liability. The more you have, the greater that liability becomes. If you properly protect the information then you can turn this information into a big asset for your business.
Organizations must be aware of the growing risk with their data and always protect user content, personal identifiable information (PII) and protected health information (PHI). With the growing number of regulations on data privacy of individuals exposing such data opens the organization to breaches, reputational damage as well as stiff penalties.
Organizations should select tools that automatically protect your sensitive information and keep it always protected. For instance, they should access all cloud applications via a cloud security broker with automatic rights management and end-to-end data protection.