The recent Equifax security breach was a gross failure of privacy, security and the protocols in place to handle a breach of this scale after the fact. However, as with any failure of this magnitude, there are several important lessons that must be learned and applied to help ensure that this does not happen again.
How it happened
The origin of the hack appears to be a security vulnerability in Apache Struts, a tool used to build web applications, which allowed remote hackers to execute arbitrary commands. The flaw was disclosed in March, and patches were released to address the flaw.
However, Equifax failed to adequately apply these patches, leaving their system vulnerable. Hackers used this vulnerability to gain access to names, Social Security numbers, and some driver's license information. All told, the data of more than 140 million Americans was affected. The breach was not disclosed to the public until six weeks after it was discovered.
After it had been disclosed, Equifax sent victims to a website that purportedly addressed the breach. However, the website was a phishing website created by a software engineer to showcase the dangers of phishing attacks. Fortunately, the engineer who built the site did not actually collect any data from the site.
Privacy versus security
The contemporary zeitgeist tends to view privacy as a necessary trade-off for security. However, a breach of this nature illustrates that privacy and security, in fact, go hand-in-hand; you cannot have one without the other.
The information obtained in this breach could now be used to create a sort of domino effect of security breaches as hackers use this information to gain access to financial information and accounts and even fake tax returns in the name of victims of this breach.
Re-evaluate cybersecurity breach disclosures
Equifax waited six weeks to disclose information about the breach to shareholders and the public. European regulations, on the other hand, require disclosure of a security breach within 72 hours of discovery.
Putting a month and a half between discovery and disclosure potentially put victims in danger of identity theft. The United States as well as private companies need to re-evaluate disclosure practices after breaches of this magnitude in order to mitigate the effects of such a breach.
Clearer security update protocols
The simple fact is that this breach could have been entirely avoided simply by applying the appropriate security patches to Adobe Struts. Companies that handle sensitive data of this nature have a responsibility to protect that data, and security practices should reflect that responsibility.
When notified of a vulnerability that affects data security, best practices dictate that the vulnerability be addressed in a timely manner. Security protocols and procedures should reflect that necessity.
Communication in the aftermath
In the aftermath of the breach, Equifax's failure to communicate internally, with shareholders and with the public only served to exacerbate issues. By delaying disclosure of the breach, Equifax harmed their own image with the public and with shareholders, damaging the trust related to their brand. In addition, the fact that Equifax's verified Twitter account sent victims to an unofficial, cloned website set up as a phishing attack shows that internal communication was lacking as well.
The lack of communication only created more potential issues as Equifax sought to recover from the breach. During the recovery processes, internal and public communication should be made clearly, concisely and in a timely manner to avoid creating potential issues.
Mitigation and recovery, not just prevention
Although Equifax clearly failed in preventing the breach, the damage could have been reduced if the company had practices in place to mitigate damage and recover from such an attack.
Practices such as data segmentation and deleting old data could have reduced the amount of data acquired from the breach. In addition, if Equifax had protocols in place for recovering from such an attack, the issues caused by Equifax's behavior in the aftermath of the breach could have been avoided.
A layered approach to cybersecurity that includes mitigation and recovery could have dramatically reduced the damage caused by the attack. Because there was only one line of defense, however, the data acquired was left wide open once these defenses were breached.
As our personal data becomes increasingly digitized, data security also becomes increasingly important. The Equifax breach illustrates the need for data security reform that incorporates a comprehensive view of cybersecurity. Companies that handle large amounts of sensitive data have a responsibility to secure that data, and by necessity, protocols should be in place to implement best practices to prevent, mitigate and recover from security breaches such as this.