Equifax Data Breach Analysis Linlan Chen Rouying Tang Mustafa Aydin Somayeh Keshtkar Khawlah Alswailem Adam M Joskowicz
Agenda Equifax Background What Happened? How Happened? Impact to the Business Missing Controls Recommendation References
Equifax background and industry Consumer credit reporting agency 800 million individual consumers US$ 3.1 billion in annual revenue 9,000 employees in 14 countries Operates or has investments in 24 countries
Achievements for the company Top 100 American Banker FinTech Forward list (2015-2016) Top Technology Provider on the FinTech 100 list (2004-2016) InformationWeek Elite 100 Winner (2014-2015) Top Workplace by Atlanta Journal Constitution (2013-2017) One of Fortune’s World’s Most Admired Companies (2011-2015) One of Forbes’ World’s 100 Most Innovative Companies (2015-2017)
Information Names Social Security numbers Birth dates, addresses In some instances, driver’s license numbers Credit cards
Company Timeline
What happened? On Sept. 7, 2017, Equifax, discovered the application vulnerability on one of their websites led to a data breach that exposed The breach was discovered on July 29 Equifax suffered the largest data breaches ever that affected about 143 million consumers in the US. UK and Canada was influenced as well 209.000 people’s credit card numbers and 182,000 personal identifying information are stolen
How happened? Tool called Apache Struts Equifax aware the vulnerabilities Took a long time for the vulnerability to be identified and to be patched A month to alert its customers and shareholders about the hack
Root Cause of the Issue Attackers entered Equifax's system in mid-May through a web-application vulnerability that had a patch available in March. The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. CVE-2017-5638 Apache Struts vulnerability is the root cause behind Equifax data breach.
Root Cause of the Issue
Root Cause of the Issue “Patching can take time, even for large corporations with dedicated security staff, which Equifax presumably had.” The process of patching the flaw isn’t as simple as just downloading. Vulnerability Identification and Patch Acquisition Risk Assessment and Prioritization Patch Testing Patch Deployment and Verification The Equifax data compromise was due to Equifax's failure to install the security updates provided in a timely manner.
Consequences | Impact to the business Impact on Consumers: 143 million US consumers: Social Security Numbers Drivers’ License Numbers Birthdates Addresses Credit Card Numbers Affecting at least 44% of American Population Equifax added that 209,000 credit card numbers were stolen, in addition to "certain dispute documents with PII for approximately 182,000 U.S. consumers. Others in the U.K. and Canada were also impacted, but Equifax hasn't said how many.
Consequences | Impact to the business Financial Loss Estimated: After insurance, costs tied to dealing with crisis could run between $200 million and $300 million. According to attorneys in Chicago: Equifax will pay more than $1 billion Most of the cash going directly to those affected. Offering 12 months free Trusted ID Premier credit monitoring Investors Wall Street has rendered an estimate: $4 billion lost stock market value Equifax shares have dropped over 20% Investors are bracing for lawsuits, lost business, and increased regulation. Three Equifax top executives sold shares in company days after breach was discovered, but not announced...
Consequences | Impact to the business Reputational Loss CFO: John Gamble Jr. Workforce Solutions President: Rodolfo Ploder U.S. Information Solutions President: Joseph Loughran Combined, sold nearly $2 million in shares in the company days after cyber attack Congressional Scrutiny Justice Dept, SEC Holding Open Investigation Multiple Hearings Ex CEO Richard Smith set to testify before four separate congressional committees
Consequences | Impact to the business Reputational Loss (Cont.) Richard Smith In an interview with The Atlanta Business Chronicle on August 1st, two days after breach discovery.. Smith answered the keys to CEO’s building higher level of trust… "Transparency, candor, consistency, and humility. Employees want an appropriate level of transparency about decisions and they expect us to be candid with them. Employees will detect a disconnect in a heartbeat, so we must be consistent in our words, our actions, and appearances. The final ingredient depends on the CEO. We have to remain humble if we’re going to build trust. That means not just listening to people at all levels, but trusting that what they have to say matters. Leaders in particular must build trust by giving trust." Buried in Terms and Service Language barring those who enroll in Equifax credit checker program from participating in any class-action lawsuits that may arise from the incident.
Consequences | Impact to the business Eric Schneiderman NY Attorney General Took action publically and privately One of many public figures that publically criticized Equifax on the weak apology as well as the embedded language.
Missing Controls Patch Management Governance Patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches.
Missing Controls 2. Defense in Depth Using a typical web application architecture without enough defense in depth. The web application has full read and write access to the underlying data store. The web application code is the sole arbiter of access.
Missing Controls 3. Inefficiency of applying IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) Executives should give power to risk assessment management [teams] and hire reputable third parties to audit their security policies. Equifax could have patched the vulnerability or received alerts through an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System). Both are built to detect network behavioral changes, so if a company has segmentation in place, they can kill a network connection where needed to avoid losing vital data.
Recommendation “ Effective cybersecurity requires consistent, comprehensive, timely patch management for all of your critical clients, servers, applications, and operating systems.” The first five of these Controls, listed below, can eliminate the vast majority of cybersecurity vulnerabilities. And patch management is essential to maintaining secure hardware and software configurations. Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges
CONCLUSION Data breach. We need pay more attention on protecting the confidential information!!!
REFERENCES http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html http://www.equifax.com/about-equifax/company-profile/ https://en.wikipedia.org/wiki/Equifax https://www.consumerreports.org/privacy/what-consumers-need-to-know-about-the-equifax-data-breach/ http://eservellc.com/equifax-data-breach-go-wrong https://www.ivanti.com/blog/equifax-breach-patch-management-cybersecurity/ https://rietta.com/blog/2017/09/18/equifax-defense-in-depth/#equifax-announcement https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29972 http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html
Questions? THANKS!