What does the Equifax data breach tell us about the larger issue of risk management in an increasingly unpredictable world?

It’s common knowledge by now that the data breach at credit reporting company Equifax earlier this year affected more than 140 million Americans. I don’t know about you personally, but in my immediate family, it’s running about 40% of us who have been impacted.

And as it turns out, the breach occurred because one of the biggest companies in the world — an enterprise that’s charged with collecting, holding and securing the sensitive personal and financial data of hundreds of millions of people — was woefully ill-prepared to protect any of it.

How ill-prepared? The more you dig around, the worse it appears.

Since my brother, Nelson Nones, works every day with data and systems security issues in his dealings with large multinational companies the world over, I asked him for his thoughts and perspectives on the Equifax situation.

What he reported back to me is a cautionary tale for anyone in business today – whether you’re working in a big or small company.  Nelson’s comments are presented below:

Background … and What Happened

According to Wikipedia, “Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.”

Founded in 1899, Equifax is one of the largest credit risk assessment companies in the world.  Last year it reported having more than 9,500 employees, turnover of $3.1 billion, and a net income of $488.1 million.

On September 8, 2017, Equifax announced a data breach potentially impacting 143 million U.S. consumers, plus anywhere from 400,000 to 44 million British residents. The breach was a theft carried out by unknown cyber-criminals between mid-May 2017 until July 29, 2017, which is when Equifax first discovered it.

It took another 4 days — until August 2, 2017 — for Equifax to engage a cybersecurity firm to investigate the breach.

Equifax has since confirmed that the cyber-criminals exploited a vulnerability of Apache Struts, which is an open-source model-view-controller (MVC) framework for developing web applications in the Java programming language.

The specific vulnerability, CVE-2017-5638, was disclosed by Apache in March 2017, but Equifax had not applied the patch for this vulnerability before the attack began in mid-May 2017.

The workaround recommended by Apache back in March consists of a mere 27 lines of code to implement a Servlet filter which would validate Content-Type and throw away requests with suspicious values not matching multipart/form-data. Without this workaround or the patch, it was possible to perform Remote Code Execution through a REST API using malicious Content-Type values.

Subsequently, on September 12, 2017, it was reported that a company “online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected [sic] by perhaps the most easy-to-guess password combination ever: ‘admin/admin’ … anyone authenticated with the ‘admin/admin’ username and password could … add, modify or delete user accounts on the system.”

Existing user passwords were masked, but:

“… all one needed to do in order to view [a] password was to right-click on the employee’s profile page and select ‘view source’. A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.”

The reporter who broke this story contacted Equifax and was referred to their attorneys, who later confirmed that the Argentine portal “was disabled and that Equifax is investigating how this may have happened.”

The Immediate Impact on Equifax’s Business

In the wake of these revelations, Equifax shares fell sharply:  15% on September 8, 2017, reducing market capitalization (shareholder value) by $3.97 billion in a single trading day.

Over the next 5 trading days, shares fell another 24%, reducing shareholder value by another $5.4 billion.

What this means is that the cost of the breach, measured in shareholder value lost by the close of business on September 15, 2017 (6 business days), was $9.37 billion – which is equivalent to the entire economic output of the country of Norway over a similar time span.

This also works out to losses of $347 million per line of code that Equifax could have avoided had it deployed the Apache Struts workaround back in March 2017.

The company’s Chief Information Officer and Chief Security Officer also “retired” on September 15, 2017.

Multiple lawsuits have been filed against Equifax. The largest is seeking $70 billion in damages sustained by affected consumers. This is more than ten times the company’s assets in 2016, and nearly three times the company’s market capitalization just before the breach was announced.

The Long-Term Impact on Equifax’s Brand

This is yet to be determined … but it’s more than likely the company will never fully recover its reputation.  (Just ask Target Corporation about this.)

Takeaway Points for Other Companies

If something like this could happen at Equifax — where securely keeping the private information of consumers is the lifeblood of the business — one can only imagine the thousands of organizations and millions of web applications out there which are just as vulnerable (if not as vital), and which could possibly destroy the entire enterprise if compromised.

At most of the companies I’ve worked with over the past decade, web application development and support takes a back seat in terms of budgets and oversight compared to so-called “core” systems like SAP ERP. That’s because the footprint of each web application is typically small compared to “core” systems.

Of necessity, due to budget and staffing constraints at the Corporate IT level, business units have haphazardly built out and deployed a proliferation of web applications — often “on the cheap” — to address specific and sundry tactical business needs.

“Kid’s Day” at Equifax’s Argentine offices. Were the kids in command there, one is tempted to wonder …

I strongly suspect the Equifax portal for managing credit report disputes in Argentina — surely a backwater business unit within the greater Equifax organization — was one of those.

If I were a CIO or Chief Security Officer right now, I’d either have my head in the sand, or I’d be facing a choice. I could start identifying and combing through the dozens or hundreds of web applications currently running in my enterprise (each likely to be architecturally and operationally different from the others) to find and patch all the vulnerabilities. Or I could throw them all out, replacing them with a highly secure and centrally-maintainable web application platform — several of which have been developed, field-tested, and are readily available for use.

__________________________

So, there you have it from someone who’s “in the arena” of risk management every day. To all the CEOs, CIOs and CROs out there, here’s your wakeup call:  Equifax is the tip of the spear.  It’s no longer a question of “if,” but “when” your company is going to be attacked.

And when that attack happens, what’s the likelihood you’ll be able to repel it?

… Or maybe it’ll be the perfect excuse to make an unforeseen “early retirement decision” and call it a day.

__________________________

Update (9/25/17):  And just like clockwork, another major corporation ‘fesses up to a major data breach — Deloitte — equally problematic for its customers.

Have we become too complacent about cyber-security threats?

cyber warfareThe scandal involving the security risk to U.S. State Department e-mails is just the latest in a long list of news items that are bringing the potential dangers of cyber-hacking into focus.

But of course, we’ve seen it before — and it involves far more than just “potential” risk.  From Target, Best Buy and other retailers to Ashley Madison customer profiles, IRS taxpayer information and the U.S. government’s personnel records, the drumbeat of cyber-security threats that’s turned out to be all-too-real is persistent and ongoing.

In the realm of marketing and public relations, recent breaches of PR Newswire and Business Wire data gave hackers access to pre-release earnings and financial reports that have been used to enrich nefarious insider traders around the world to the tune of $100 million or more in ill-gotten gains.

These and other events are occurring so regularly, it seems that people have become numb to them.  Every time one of these news items breaks, Instead of sparking outrage, it’s a yawner.

But Jane LeClair, COO of the National Cybersecurity Institute at Excelsior College, is pleading for an organized effort to thwart the continuing efforts — one of which could end up being the dreaded “Cyber Pearl Harbor” that she and other experts have warned us about for years.

“We certainly can’t go on this way — waiting for the next biggest shoe to drop when hundreds of millions — perhaps billions — will be looted from institutions … It’s time we stopped making individual efforts to build cyber defenses and started making a collective effort to defeat … the bad actors that have kept us at their mercy,” LeClair contends.

I think that’s easier said than done.

Just considering what happened with the newswire services is enough to raise a whole bevy of questions:

  • Financial reports awaiting public release were stored on the newswires’ servers … but what precautions were taken to protect the data?
  • How well was the data encrypted?
  • What was the firewall protection? Software protection?
  • What sort of intruder detection software was installed?
  • Who at the newswire services had access to the data?
  • Were the principles of “least privilege access” utilized?
  • How robust were the password provisions?

In the case of the newswire services, the bottom-line explanation appears to be that human error caused the breaches to happen.  The attackers used social engineering techniques to “bluff” their way into the systems.

Mining innocuous data from social media sites enabled the attackers to leverage their way into the system … and then use brute force software to figure out passwords.

Once armed with the passwords, it was then easy to navigate the servers, investigating e-mails and collecting the relevant data. The resulting insider trading transactions, made before the financial news hit the streets, vacuumed up millions of dollars for the perpetrators.

Now the newswire services are stuck with the unenviable task of attempting to “reverse engineer” what was done — to figure out exactly how the systems were infiltrated, what data was taken, and whether malicious computer code was embedded to facilitate future breaches.

Of course, those actions seem a bit like closing the barn door after the cows have left.

I, for one, don’t have solutions to the hacking problem. We can only have faith in the experts inside and outside the government for determining those answers and acting on them.

But considering what’s transpired in the past few months and years, that isn’t a particularly reassuring thought.

Would anyone else care to weigh in on this topic and on effective approaches to face it head-on?

Data breaches: Target is just the tip of the iceberg.

Target data breachI’m sure we aren’t the only family who’s had to suffer through the aftershocks of Target’s infamous Great Thanksgiving Weekend Data Breach that occurred in late 2013.

According to news reports, as many as 40 million Target credit cards were exposed to fraud by the data breach.  And as it turns out, the initial reports of nefarious doings were just the beginning.

Even after being given a new credit card number, my family has had to endure seemingly endless rounds of “collateral damage” for more than a year since, as Target’s very skittish credit card unit staff members have placed card-holds at the drop of a hat … initiated phone calls to us at all hours of the day … and asked for confirmations (and reconfirmations) of merchandise charges.

Often, these unwelcome communications have occurred on out-of-town trips or whenever someone in the family has attempted to make an innocuous online purchase from a vendor based overseas.

It’s been altogether rather icky — in addition to being a royal pain in the you-know-where.

But our experience has hardly been unique.  Consider these scary figures when it comes to data breaches that are happening with businesses:

  • On average, it takes nearly 100 days to detect a data breach at financial firms. 
  • It takes nearly 200 days to do so at retail establishments.

Those unwelcome stats come to us courtesy of a multi-country survey of ~1,500 IT professionals in the retail and financial sectors.  The study was conducted by the Ponemon Institute on behalf of network security and software firm Arbor Networks.

The next piece of unsettling news is that, even with the long “dwell” times of these data breaches, the IT professionals surveyed aren’t optimistic at all that the situation will improve over the coming year.  (Nearly 60% of those working in the financial sector aren’t optimistic, as do a whopping ~70% in retail.)

It’s doubly concerning because companies in these sectors are such obvious targets for hack attacks.  The reason is simple:  The amount and degree of customer data stored by companies in these sectors is highly valuable on the black market — thereby commanding high prices.

It makes it all the more lucrative for unscrupulous people to make relentless attempts to hack into the systems and extract whatever data they can.  IT respondents at ~83% of the financial companies reported that they suffer more than 50 such attacks in a given month, as do respondents at ~44% of the retail firms.

The impact on companies isn’t trivial, either.  Another study released jointly just last week by Ponemon and IBM, based on an evaluation of ~350 companies worldwide, finds that the average data breach costs nearly $160 for each lost or stolen record.  And that’s up over 6% from a year ago.  (The Target breach cost substantially more on a per-record basis, incidentally.  And for healthcare organizations, the average cost is well over $350 per record.)

dbWhat can be done to stem the endless flood of data breach attacks?  The respondents to this survey put the most faith in technology that monitors networks and traffic to stop or at least minimize these so-called advanced persistent threats (APTs).  More companies have been implementing formalized incident response procedures, too.

As Dr. Larry Ponemon, chairman of the Ponemon Institute has stated, “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable.”

Clearly, more investment in security tools and operations would be advisable.

Anyone else care to weigh in with opinions?

Security blind spots: It turns out they’re everywhere on the web.

sbsIt seems like there’s a story every other day about security breaches affecting e-commerce sites and other websites where consumers congregate.

And now we have quantification of the challenge. Ghostery, a provider of apps that enable consumers to identify and block company tracking on website pages, has examined instances of non-secure digital technologies active on the websites of 50 leading brands in key industry segments like news, financial services, airlines and retail.

More specifically, Ghostery was looking for security “blind spots,” which it defines as non-secure tags that are present without the permission of the host company.

What it found was that 48 of the 50 websites it studied had security blind spots.

And often  it’s not just one or two instances on a website. The analysis found that retail web pages host a high concentration of non-secure technologies:  438 of them on the Top Ten retail sites it analyzed (companies like Costco, Kohls, Overstock.com, Target and Walmart).

Financial services sites are also hit hard, with 382 blind spots identified, while airline websites had 223 instances. And they’re often present on the pages described as “secure” on these websites.

Scott Meyer, who is Ghostery’s chief executive officer, had this to say about the situation:

“Companies have very little understanding of what’s happening on their websites. The problem is not with any of the company’s marketing stacks, it’s with their own tech stacks.  What these companies have now is marketing clouds, not websites, and they’ve gotten complicated and hard to manage.”

Scott Meyer, Ghostery CEO
Scott Meyer, CEO of Ghostery (formerly The Better Advertising Project and Evidon).

There was one leading brand web site that came off looking squeaky clean compared to the others: Amazon.  “Amazon is incredibly sophisticated; others are not,” Meyer noted.

The implications of avoiding addressing these security blind spots could be seriously negative. Bot networks often use non-secure technologies to gain entry to websites.  Google is indexing company websites higher in search engine results based on their security ratings.

It makes it all the more important for companies to audit their websites and set up system alerts to identify the non-secure tags.

For the leading brands in particular, they just need to suck it up and do it for the benefit of their millions of customers.