Equifax breached, no eyebrows raised

Yet another breach from yet another organization that could and should have done better.

UPDATE: Equifax executives caught dumping stock

I generally try to stay away from media and other sources that might influence my writing when putting together a story, choosing to focus on just the related facts. It turns out I missed an interesting side story here that further casts Equifax in a negative light.

Jump down to the timeline section in this article — it’s right after the embedded video. Take a good look at the gaps between events — especially when Equifax became aware of the intrusion. Then come back here.

These three senior executives claim that a week ago, on August 1st and August 2nd, they weren’t aware of the breach. Plausible? Let’s look at their roles.

  • John Gamble, CFO
  • Joseph Loughran, president of U.S. information solutions
  • Rodolfo Ploder, president of workforce solutions

Are you thinking what I’m thinking? Yeah, the latter two execs have the kinds of titles we give to employees we can’t fire, but want to keep from causing trouble. Aside from that, John Gamble sticks out like a sore thumb here.

Gamble, Loughran and Ploder. Three men who are likely practicing their “shocked and surprised” faces in a mirror right now.

I spent over five years of my career as the chief incident handler for some large organizations. I can tell you that my incident response plans would involve my CFO (along with the rest of the executive tier) knowing about something the size of this breach within a few hours of me finding out. In the video, Rick Smith says that the attacker’s connection to their systems was immediately severed. That suggests the nature of the breach was quickly apparent. Furthermore, Smith says law enforcement was immediately notified and that a “leading cybersecurity firm” was engaged to conduct a “comprehensive forensic review”. The latter action equates to lots and lots of expense. Bringing in an emergency team for any kind of ‘comprehensive review’ is likely to come with a six or seven-figure bill.

Gamble wants us to believe that all this went down without his knowledge or approval on the sudden emergency spending? That his sudden sale of nearly $1m worth of stock was coincidence? Equifax was first aware of the incident on a Saturday. These three sold their stock the following Tuesday and Wednesday. I can guarantee you that practically the only thing that was talked about on Monday, July 31st, was this incident.

I don’t buy it for a second, and neither should you.

Just the facts

(beginning of the original article starts here)

Equifax announced yesterday, September 7, 2017, that it experienced a cybersecurity incident. Equifax is one of the “big three” US credit bureaus, along with Experian and TransUnion. They lost data belonging to 143 million Americans, which sounds like a lot, because it is. That’s 57% of the adult US population. Additionally, the company says payment information for 209,000 individuals was also lost, along with dispute documents belonging to an additional 182,000.

Rick Smith, the CEO of Equifax, recorded a video to “make sure we have the facts” of the situation (did anyone else hear “have the ‘fax”? No? Just me?). Coincidentally, Rick Smith’s name so generic, it’s nearly impossible to steal his identity. He’s definitely not the type to put his social security number on a billboard.

In the video, Smith announces that he is “pleased to report” that attackers did not appear to have compromised systems containing credit report data. However, what they did get appears to be every piece of data that’s on the credit report anyway. This includes most of what you need for identity theft.

  1. Names
  2. Social Security Numbers
  3. Birth Dates
  4. Addresses
  5. Drivers Licenses (only in some instances)

Class action suits and TrustedID Terms of Use

There’s been a lot of armchair lawyering and confusion around the TrustedID terms of use. I’m guilty of it as well. It’s hard in these situations to remember it’s not advisable to skim some legal text, jump to conclusions and shout FIRE! In any case, the situation clarified throughout the day as those with legal backgrounds started to chime in, but still isn’t entirely clear.

Interestingly, the New York State Attorney General got involved. We definitely need a solid answer on this. People need to know if signing up for Equifax’s services is going to take legal options off the table for them down the road.

About the credit bureaus

Once upon a time, financial institutions had to develop and employ their own vetting processes. The bureaus emerged to make the process simpler for businesses by streamlining the process and offering it as a service. The bureaus are for-profit companies. Transunion and Equifax are American companies that are both traded on the New York Stock Exchange. Experian is headquartered in Ireland and the United Kingdom, and is traded on the London Stock Exchange.

There’s not a lot of external regulation concerning how they function, from what I can tell. Businesses don’t have to report to all three or any of the bureaus. Creditors may only report to one. The bureaus have different methods of calculating credit scores, so they don’t all line up, which can be confusing to consumers. Credit events often show up erroneously, or on the wrong person’s account. Identity theft is still common, despite the prevalence of “identity monitoring services” and “credit locks”.

One bit of regulation that IS in place is that the bureaus are required to give free access to individuals’ credit data on a regular basis, typically once a year.

Savage Thoughts

As the title implies, I don’t think anyone was terribly surprised by this. We’re numb to the announcement of a breach has at this point. In most cases, we’re powerless to do anything about it. It’s been shown that breaches have little to no long-term financial impact on the organizations that experience them. We’re resigned to the fact that companies will continue make security a secondary priority, will continue to get hacked and will continue getting away with no serious consequences.

If you think about it, by offering its own products as a solution to the incident, this whole thing is one giant lead-generation campaign for Equifax. Yeah, it’s a big loss leader, but it’s still a loss leader on 143 million leads.

As for further analysis of the incident, the Equifax video has some of the most telling and interesting information, so let’s deconstruct it a bit.

Timeline

First, let’s take a look at the dates involved.

Mid-May: Attackers first accessed private Equifax data or had access to systems. It’s not clear what sort of access they had from the information we have. It could have been yet another AWS S3 bucket with the wrong access controls applied, or it could have been a private data center breach, or a single web application server that was compromised. We don’t know. There is a chance that the federal government or legal cases could require Equifax to provide more details in the future, as was the case with Target following its breach.

July 29th: Equifax discovered attackers had access to “data files”, approximately 75 days after the breach began. This is an interesting description of the attack, which led me to make my previous comment about S3 buckets. Breaches caused by S3 misconfigurations have been common in the news lately, thanks to research organization Upguard.

Late July: Equifax alleges they terminated the intrusion, hired a forensics firm and notified law enforcement.

September 7th: Equifax notifies customers and partners and publicizes the breach, 41 days after discovering it.

An Odd Comment

“I’m pleased to report that the review found no evidence of unauthorized activity on our core credit reporting databases.”

Smith makes this comment around 50 seconds into the video and it is only one of two moments designed to sound like a ‘silver lining’. The second is when he announces the “unprecedented” move of providing free identity theft protection and credit lock services to all affected individuals.

Why is Smith pleased to report this? They’ve already announced that most of the information from a credit report we wouldn’t want stolen was stolen. Perhaps this was thrown into the video for the benefit of shareholders and the board? I can appreciate the need to say, “look, the last 15 years of security budget wasn’t completely wasted.”

This statement reveals that, perhaps, some effective network segmentation was in place. What’s worrying about it is that the data that should have been protected by that segmentation was apparently on the less secure side of that enclave. We saw a similar situation in the DigiNotar breach. In the end, it didn’t matter that segmentation was done correctly, because the data is going to be stored outside of it anyway.

The PR Perspective

A lot of good, empathetic language was used.

“Deeply regret”

“Apologize’

“Our first priority should be to protect consumers”

I think we can all agree the latter example is the right thing to say, but Smith isn’t fooling anyone — the first priority is to protect the business.

“Equifax will not be defined by this incident, but rather, by how we respond.”

This is a great point to make, as we strongly believe that the vast majority of consumers are prepared to forgive a large-scale incident if it is handled appropriately. Equifax is already at a disadvantage, however, as consumers are just finding out their data was stolen over 100 days ago.

Finally, please don’t include ‘silver lining’ statements in these messages. You’ve betrayed the trust of your customers and 143 million Americans. None of the victims want to hear the phrase “I’m pleased to report” unless it’s good news for them.

Breach notification: speed is of the essence

Two key aspects to an effective post-breach PR strategy are transparency and speed. Here we have a case where Equifax chose to keep the breach private for 41 days before announcing it publicly.

Why did it take Equifax 41 days to notify customers of an already 75-day-old breach? CYA activities — making sure they took care of the businesses’ liabilities and put together a slick PR response. It sounds impressive — they recorded a video, set up a special website, created a dedicated call center and prepared to give away products for free to millions of victims.

It sounds impressive, until you consider the fact that many of these victims were likely getting their identities stolen while Equifax was taking their time to set all this up. Given this context, the quote about priority comes across as more than a little disingenuous. UPDATE: Especially now that we know at least three executives dumped stock days after the incident.

“Our first priority should be to protect consumers”

Conclusion

Consumers are finding out that their personal data was stolen, 116 days after it was potentially first accessed. This is a completely unacceptable timeframe from any perspective. The “unprecedented” offer is too little, too late. If identities were going to be stolen, it would have happened already.

According to Mandiant’s most recent M-Trends report, dwell time (the time between first intrusion and the victim’s discovery of the intrusion) has steadily decreased down to an average of 99 days. We understand the complex issues that have resulted in dwell time being a standard metric in this industry. We’re in an age, however, where smaller, more agile companies are announcing incidents within hours on the same day and even livestreaming efforts to address them.

The key takeaway here is that Equifax should have notified consumers of the breach much sooner. Had I been advising the company, I would have pushed for notification to go out within 24 hours of the company learning of the incident. That would have given the consumers over a month more time to head off or prevent some of the malicious activity that might have resulted from this incident. To that point — there was so much data lost here, we may never be able to attribute specific incidence of fraud to the Equifax breach.

Rick Smith is right. Equifax will be defined by how they respond. They’ve started off with a serious deficit, and from a PR perspective, I’m not sure they can recover from it.

I hate to end on a dour note, so here are some of my favorite examples of companies getting it right.

GitLab

From: https://www.reddit.com/r/sysadmin/comments/5rfvpd/live_stream_of_the_gitlab_recovery/

Buffer

https://open.buffer.com/buffer-has-been-hacked-here-is-whats-going-on/

How Buffer Came Out on Top After Getting Hacked

Buffer’s Response to Hacking: A Study in Social Media Crisis Management

Crisis Communications Done Right: Buffer App

Other Good Reads

I make a point not to read any other stories before posting mine, but it’s always fun to see how similar or different articles are afterwards. My friends over at Motherboard also took a jab at poor Todd Davis and his repeatedly stolen identity. Steve Ragan has a straightforward piece on the event and the ever-vigilant Brian Krebs lends his long experience in breach reporting to a report on the incident.

If your business needs a breach plan, training on crisis communications or help preventing a breach from occurring in the first place, we’d love to lend a hand. Contact us: info@savagesec.com


Equifax breached, no eyebrows raised was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a Security Bloggers Network syndicated blog post authored by Adrian Sanabria. Read the original post at: Savage Security Blog - Medium