More Lessons from the Exhaust of the Equifax Breach

Equifax is moving from bad to worse and there is apparently much more to come, Equifax has just been fined by the UK’s data protection agency with the maximum possible penalty under the prior European laws for last year’s massive data breach.

It’s only $662,712.50 in U.S. dollars (￡500,000 UK) because the loss of customer data occurred when the UK’s prior privacy regime was in force, rather than the tough new GDPR data protection law, which would have been 4% of 2016 global revenue ($3.14B) or $125.6 million dollars. Equifax dodges yet another consequence of their almost complete and abject failure to protect against a breach, but the evidence of malfeasance keeps mounting.

The UK regulators are on the case because 15 million UK citizens’ data was also breached in the attack, and while the breach occurred against the Equifax U.S. based systems, the UK citizens’ data was being processed here in the US. That should get any Board’s attention who thinks that because somehow, they are a U.S. based company, they are immune from the oversight implications of the GDPR.

But if Equifax thinks that dodging this bullet is the end of their nightmare, there are over 400 class action suits that would beg to differ. The finding by the UK’s Information Commissioner’s Office (ICO) investigation stated that Equifax had managed to contravene, not just one or two, but five out of eight data protection principles of the Data Protection Act 1998, including, failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said information commissioner Elizabeth Denham in a statement. “We are determined to look after UK citizens’ information wherever it is held.”

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

The regulator’s investigation carried out in parallel with the UK’s financial regulator, the Financial Conduct Authority, found that the measures that should have been in place to manage personal information were both inadequate and ineffective, and that there were also significant problems with data retention, IT system patching, and audit procedures.

Worse yet, form a defense attorney’s point of view, the US Department of Homeland Security is on record with a warning dating back to March of 2017, that a critical vulnerability in a consumer-facing portal had not been patched and represented a considerable risk. So, it wasn’t that Equifax IT and InfoSec executives didn’t know about the Adobe Struts patch. They were warned and yet they apparently just chose to ignore the warning. Or, something.

It is additionally telling and a clear message to corporate board members of all companies that because many of the customers affected would not have been aware that Equifax held their data, the UK ICO insisted that the maximum penalty be applied. Denham’s reasoning is that customers who learned about the cyber-attack would have been surprised to find that their data was exposed and stolen, then experienced additional distress and mental anguish. In other words, had Equifax been forthcoming to its customers in advance that there was a chance that their personal data was at risk, they might have avoided the severity of the fine.

Of course, its likely that Equifax might not have had any customers after issuing that guidance.

This action against Equifax comes on the heels of the ICO’s recent judgement against Facebook with the same level of fine for allowing user data on 87 million Facebook users to be scraped by a third-party app which used it to try to build voter targeting models, and then selling this data as a service to a political consultancy involved in the US political process.

Denham said that, “Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

The company points to several changes it says it has made in response to the incident to strengthen its policies and processes and highlights ongoing investments in infrastructure and corporate governance procedures, including hiring additional IT staff, which are intended to improve the resilience of its systems to hack attacks. In other words, blah, blah, blah. Barn doors are most effective when they are closed before the horses run out.

Those five principles that Equifax violated that contributed to the breach were ineffective identification, inadequate detection, no network segmentation, poor data governance, and the failure to rate-limit database requests. If properly handled, any one of those areas might have enabled Equifax to have more quickly identified and contained the intrusion.

The not funny at all comedy of errors begins with Ineffective Identification. The GAO in their just completed investigation, states that while the U.S. Computer Emergency Readiness Team in March 2017 issued an alert that all Apache Struts implementations should be immediately patched, Equifax claims it did receive and then circulated this notice to its systems administrators. However, the recipient list for the notice was out of date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch.

Equifax also claims that a routine scan conducted a week later, which searched for known vulnerabilities inside its network, had failed to flag the flaw in the Struts implementation that ran its online dispute portal. To that I say, EHNT! Thanks for playing.

The second screw-up pointed to a failure to provide adequate detection. Equifax had a security device that allowed it to inspect network traffic, but it wasn't working because a digital certificate that it required to operate had expired. Not only had it expired, but it had expired 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that entire period. Translation: The attackers were able to run commands and remove stolen data over an encrypted connection without detection for 10 months.

The third violation related to Equifax’s failure to isolate its databases on different network segments which resulted in the attackers’ ability, once inside the network, to access dozens of other databases residing on connected networks. These databases contained customer PII, and in addition to the access provided by an expired security certificate, along with the failure to rate-limit queries allowed the attackers to successfully remove large amounts of PII without triggering an alarm.

Poor data governance comes in fourth as we learn that Equifax was violating one of the basic security administration principles by storing access credentials used by its administrators in an unencrypted format. The most basic and common best practices would have further required that credentials be stored only in a secured vault with access managed through multifactor authentication.

This lapse enabled the attackers to gain access to a database containing unencrypted credentials for accessing additional databases, aka the Holy Grail. Using these administrator usernames and passwords allowed the intruders to run queries on any and all of those additional databases.

The failure to restrict query limits led to thousand of queries that attackers used to exfiltrate the data. The common practice is to set boundaries on queries that represent what would be an unusual or anomalistic number, to alert a monitoring function like a SOC when something untoward was in process.  Again, no restrictions. No alerts.

The point here is not to pile on Equifax, though it is hard to resist, but rather to remind Board members, IT Leaders and CISO’s that the mistakes that led to this breach are likely found in many if not most IT environments, and that by doing nothing, you are placing your organization at serious risk.

If you are like most, you probably have no idea whose data you are processing and storing, whether it can be qualified as true PII, and even where it is stored. If you are like most, you probably have digital certificates that have expired, and you probably don’t know what you have, how many there are and where they are stored. If you are the average IT department, you are likely not incorporating audit systems that let you know when someone accesses a privileged account through notifications in event logs or other means.

Most of the time, credential theft can be prevented with good security hygiene, but most of the time, the typical IT organization isn’t practicing good security hygiene. For example, earlier versions of Windows (before 10) cache credentials that admins use to troubleshoot problems. Those credentials remain cached for cyber-thieves to pluck off and use to gain access to the entire network. Do you have controls in place to prevent this from occurring? I didn’t think so.

And amazingly, most IT organizations have not implemented multi-factor authentication for restricting access to admin credentials. This means that all I need as an attacker is access (username/password) to the vault and I, like the Equifax attackers am good to go. I will bet my mortgage that most data governance controls lack this basic protection.

If you believe for a minute that the breach that happened to Equifax can’t happen to your company, you are delusional. And just because these sorts of cases have historically not resulted in serious penalties for the perpetrating companies and officers, doesn’t mean that in this new legal and regulatory environment, it will remain that way. The lower courts split last year on whether plaintiffs must prove actual damages or only potential future damages. That case will end up in the Supreme Court and I’m pretty sure future damages will prevail. The teeth in the GDPR are much sharper than those in the earlier European legislation, and both at the State and Federal levels, we will see GDPR-like regulations enacted throughout the U.S. in the coming months.

Now would be a really good time to take a lesson from the Equifax follies and start auditing your own environment to see where you stand against their security profile. You probably don’t want to be that guy who used to be the CISO, VP/IT or CEO of Equifax.

And if you are in a position of fiduciary governance (aka Board Director), you should know that you will likely be held personally liable, and not just in a civil court. Doing nothing seems like a bad hedge against a steep downside.