It is a terrible time for privacy in the United States. There are very few institutions that we entrust to hold nearly all our financial records, and one of them, Equifax, admits to losing them.
The full impact of the breach will be felt over time, and right now nothing has changed in our lives besides a new worry and uncertainty. Perhaps, like with other breaches such as Anthem and Yahoo, we will have to live in fear for decades with not yet having felt the direct impact.
However, I would argue that Equifax has a potential to be the most impactful breach to its victims. The repositories of data that include personal, financial and confidential information will not dissipate easily over time. Unlike with many medical conditions, or simply stolen passwords, victims of financial and personal information theft do not get better. We can’t escape our credit history and financial situation, so the abusers of the stolen data will be able to pursue us through the years.
How did it happen? We do not have all the details, but one may argue that an organization charged with holding this type of data would not fall to an attack vector that was a known problem for half a year prior. Even with that vulnerability, a breach of a single website should not lead to any stolen data. There must be safeguards.
Let’s say a web server was not patched, but it is the job of intrusion prevention systems to detect an exploit. When hackers were roaming free within a compromised server and its databases, where were the security safeguards identifying the abuse? Further, consider that hackers reportedly stole gigabytes, if not terabytes of data. This type of unusual activity should be noticed by the network traffic monitors, and defensive tools.
Yet, Equifax infrastructure allowed for the data theft without much of an alert. And for us, the victims, what’s the recourse? One year of free credit protection from TrustedID service, owned by Equifax? There is something to be said about a company offering protection against identity theft that could not protect its own data. And what happens after one year? Would hackers delete the stolen data, or would they keep abusing the accounts while the victims resort to paying Equifax for a protection service from the loss that it caused?
There is a lot of angst, and confusion, and too many questions that we do not know how to answer. The scariest thing is that we do not know what is coming and how badly this will impact the victims.
The big question still remains: who do we trust with our data? Do we, the consumers, have any say or choice? Should there be government sanctions for these types of events?
As a security professional, I see another lesson in not-so-good security practice. What could have been done to prevent this? What could have been done during the incident response and investigation?
Time will tell if this is the most impactful breach for us, or if this is a scary event from which the stolen data never sees large-scale abuse. Stay tuned.
Editor’s note: Alex Holden will be presenting on optimizing defenses against invisible threats at CSX North America, to be held 2-4 October in Washington, D.C.
Alex Holden, President and CISO, Hold Security, LLC
[ISACA Now Blog]