Another day, and another data breach has hit a large company that could potentially impact millions of people.
The data breach at the US credit card company Equifax has reportedly exposed the social security numbers and other data of around 143 million Americans.
Cyber security experts from the tech industry have been quick to react to yet another data breach, CBR lists their insights and recommendations.
David Emm, principal security researcher, Kaspersky Lab
“This is yet another case of a breach becoming public long after the incident itself occurred, which underlines the need for regulation. It’s to be hoped that the GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and, secondly, notify the ICO of breaches in a timely manner.
“The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before it becomes a target. Customers that entrust private information to businesses should be safe in the knowledge it is kept in a secure manner – and businesses should use security solutions to significantly mitigate the risk of a successful attack. There are also other measures that companies can take in order to provide thorough protection, which include running fully updated software, performing regular security audits and performing penetration testing.
“Consumers have no control over the security of their online providers, but they can mitigate the risk of a security breach of an online provider’s systems. We would recommend that everyone uses unique, complex passwords for all their online accounts, and we would also urge people to take advantage of two-factor or two-step authentication where a provider offers this.”
Ondrej Vlcek, CTO and General Manager, Consumer, Avast
“It is still not clear what kind of vulnerability was taken advantage of in the Equifax breach, however it is likely it was a leak through a web application flaw. It is unacceptable that credit bureaus which hold so much personal information which they then sell, can allow such a breach to happen and practice poor security hygiene.
“We speculate that the attackers used a SQL injection to gain access. Hackers are consistently searching for these vulnerabilities, and companies, especially those with access to so much sensitive information, need to significantly increase their diligence in maintaining security of their data. This is one of those cases where there is unfortunately really nothing consumers can do except be vigilant. We expect it is only a matter of when, not if, this data appears on the Dark Web market.
“At this point there are a few actions potential victims can take to help ensure they are protected. First closely monitor all email, social, credit card and bank accounts closely for suspicious activities. Second, consider looking into a credit freeze that will stop hackers from using your identity to accrue debt. Also, don’t respond directly to emails and other messages notifying you that you’re a victim. They may be scams. Instead, open up a new tab and log in directly to the site in question, or call the support center number listed on their site.”
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks
“No doubt Equifax has been working feverishly behind the scenes since it found the breach in July. All businesses must think about the steps they would take in similar circumstances to investigate a breach, track the data lost and put together a communication plan to customers. Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.
“For all of us as consumers, we need to recognise that someone may have, and lose, our data even if we don’t deal directly with them.”
Andreas Kuehlmann, senior vice president and general manager, Synopsys, Software Integrity Group
“We’ve grown accustomed to data breaches, but what events like this and the recent ransomware outbreaks bring to light is that the scope and impact of cyberattacks are intensifying. We are more interconnected and dependent on software than ever, and when that software or those who maintain it are compromised, the consequences are becoming increasingly disruptive. It is imperative that organisations take a more proactive and aggressive stance on security – and it starts with building more secure software.”
Chris Morales, head of security analytics at Vectra
“Equifax needs to raise their cybersecurity score. Enterprises have to realise they cannot address cybersecurity by simply spending money on intrusion prevention solutions and instead need to shift investments to detection and response solutions that are being used by today’s advanced attackers.
“The cyber attackers gained a foothold by seemingly exploiting a web application vulnerability. From there, they most likely escalated privileges, abused credentials and admin protocols, moving laterally through the network, which businesses rarely have the necessary tools to detect.”
Anthony Di Bello, Sr Director of Product, Guidance
“Equifax’s breach is yet another data point (albeit a massive one) in the new reality of “continuously compromised” organizations. Make no mistake about it: these breaches will continue to happen and make headlines. Our research found that one in four businesses suffered direct financial losses due to a cyber attack in the past year (and organizations reporting “significant financial losses” tripled).
“Almost two-thirds had fallen victim to malware-related breaches. We’re in a new reality where it’s not just “will my company get breached?” But a question of when. Fighting back requires a well-planned endpoint detection and response strategy that can mitigate the otherwise crippling repercussions businesses are increasingly seeing from these cyberattacks.”
Richard Henderson, Global Security Strategist, Absolute
“Just when we think the days of massive breaches are behind us, another company pops up and says, “here, hold my beer and watch this!”
“All joking aside, this is likely going to be the ‘breach of the year’, if such awards were handed out. Over 140 million Americans have had their info potentially stolen. That’s over 40% of the entire population of the United States.
“This is the biggest fear of any company who collects such intimate and personal data of people come true. The data reportedly stolen (as of now) includes full names and birthdays, addresses, SSNs and in some cases driver’s license numbers. This is a motherlode of information for cybercriminals looking to commit identity theft.
“We have to expect that the fallout from this will likely be unprecedented. Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in *all* of the credit reporting agencies will be eroded.
“It may be time for us to reconsider exactly how we allow companies to store all of this data. It’s clear that these mega-databases are prime targets for attack, and we may need to take a hard look at legislative changes that will force databrokers and collectors to take security up a few levels.”
Amit Yoran, CEO of Tenable
“The details of any incident may not be known until a thorough forensic investigation is complete. Too much speculation before the facts are known is irresponsible.
“We do know that the modern attack surface that organizations have to protect is extremely complex. Their IT systems are constantly evolving and it’s imperative that they maintain a current understanding of their systems, how their business relies on technology, and what their state of cyber hygiene looks like. Those are foundational requirements to understand and manage their level of cyber and business risk.”
Tim Erlin, VP, Product Management and Strategy at Tripwire
“It’s clearly early days for this news, and we can expect to learn more about the details in the future. With nearly every publicly announced breach, there’s new information discovered after the initial disclosure.
“The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans.
“All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.
“A breach isn’t a single point in time, but a span of time in which an organization is compromised. Prevention is primary, but detection and response are absolutely necessary as well.”
Andrew Clarke – EMEA Director at One Identity
“Whenever news breaks of a cyber attack nowadays it just seems to get worse every time. 143M consumers is a massive hit. And the immediate damage is to the reputation of Equifax. After hours share price is dropping which takes millions off the companies value plus the inevitable regulatory inspections and subsequent fines – this will absolutely cause them long-term damage.
“It is also revealed that 209K customer credit card numbers were accessed – if this is the case, it breaks PCI regulations plus causes a logistically nightmare for the affected consumers and credit card providers. We have witnessed many cases now of this type of incident and experience shows that it is basic measures that would have cost substantially less than the impact costs to mitigate.
“Often we see privilege or administrator accounts being used to gain super-user status in the infrastructure which enables attackers to plant malware and circumvent security measures to access what would be otherwise secure records and databases. Privilege Access Management is proving to be one of the most foundational measures that a company can take to control and manage this risk.
Read more: You’ve Been Breached, What Now?
“Other factors include user education coupled with best security practices embracing tools such as firewalls; patch management and vulnerability assessment to close loop-holes and limit exposure. In addition, the fact the attack occurred from mid-May to mid-July points to the fact that tools such identity analytics and risk intelligence are not in place or working effectively here.
“After this attack, as Equifax attempt to recover their position, big questions will be asked in the board-room – but as ever post attack these are always challenging to deal with – it is far better to anticipate that this type of attack is very likely now and have detailed plans to deal with it both from a technical perspective but also a public relations perspective. Unfortunately, after the event it is often too late to save the day!”