On September 7, 2017, credit agency Equifax announced they had suffered a massive data breach that could affect 143 million consumers.
As one of the three largest credit agencies in the U.S., Equifax’s databases contained full names, Social Security numbers, driver’s license numbers, mailing addresses, birth dates, credit card numbers, and all manner of personal information. As if the loss of this sensitive information wasn’t bad enough for Equifax’s reputation, it took the company more than five weeks to disclose the data loss to the public (but not before three Equifax managers sold nearly $1.8 million worth of stock in the company). Equifax was working with the FBI and Mandiant to identify the attackers behind the breach before the disclosure, but the delay in informing the public does not look good.
While Equifax has launched a WordPress-powered website to connect with consumers affected by the recent security breach, this site asks potentially-affected visitors to share six digits of their social security numbers on a stock installation WordPress site. It’s not news that WordPress has fallen victim to a number of serious security exploits over the years, and this site does not offer the kind of enterprise-level security consumers should expect. In addition, Equifax’s failure to obtain proper consent for acquiring and sharing sensitive information is not compliant with GDPR regulations in the EU.
How the Equifax Attack Happened
While Equifax has not released in-depth information about the attack, the company publically stated that cyber attackers “exploited a U.S. website application vulnerability to gain access to certain files.” We do not know many other details at this point, such as if Equifax’s web servers were up to date on the latest security patches. That said, it looks like the company’s web applications offered excessively broad access to very sensitive information.
Sadly, this narrative is not a new one. Consider how many major corporations and organizations have suffered large data breaches just this year! It’s deeply unfortunate that a company with such vast stores of sensitive data lacked better security. However, this story sounds familiar because it happens far too often—many organizations focus on growth and business goals first, leaving information security as an afterthought.
How the Equifax Attack Could Have Been Prevented
Ensuring application security is essential in our hyperconnected world. In the Equifax situation, it’s likely that a thorough penetration test or code review could have identified the security risk at an early stage. Taking the time to introduce sophisticated automation in the company’s security testing would also have identified the risk long before it became a serious problem.
All of these measures are part of a sophisticated SecDevOps approach. Until more companies integrate security thinking and best practices into the development of web and mobile applications, breaches like Equifax will continue to occur.
Equifax was just accused of another data security breach affecting its operations in Argentina. This particular breach seems unrelated to their previous troubles, as it was the result of poor password practices. Still, it seems the large company has a great deal of work ahead in securing its critical data and systems.