Posted by Admin | Investing

The breach of the credit tracking firm Equifax , which exposed extensive personal data for 143 million people, is the worst corporate information breach thus far. But incredibly, the errors and the superlatives do not end there. Three months since the firm first publicly revealed the circumstance, a steady flow of gaffes and revelations paint a picture of Equifax’s deeply lacking response to tragedy.

Equifax’s bungles kicked off quite literally day one, once the company directed prospective victims to a distinct domain––rather than simply building pages to manage the breach from its main, reliable website, Observers quickly found bugs, some of them severe, in that breach-response website. All the while, Equifax asked people to trust the safety of the site, and to submit the last six digits of the Social Security number as a means of assessing whether their information was compromised in the breach.

The website also seemed slapdash, although Equifax says it heard about the mega-breach in the end of July, and took about six months to disclose it. During this time, the business might have conceivably planned and implemented a much stronger and reassuring source for cautious consumers.

“There should have been a really extensive set of policies and procedures for what to do to react,” states Jonathan Bernstein, the president of Bernstein Crisis Management, which works on institutional response to all sorts of disasters such as data breaches. “It is going to be more challenging to convince people that they are now able to safeguard data, because Equifax has undermined their credibility from how they’ve responded. They made the situation worse{}”

Further revelations this week indicate that even more fundamental issues plagued Equifax’s handling of its reaction site. In the weeks since Equifax revealed the breach, the business’s official Twitter account has tweeted a phishing link four occasions , rather than the organization’s actual breach response page. Lucky for Equifax, the page is not actually malicious. Developer Nick Sweeting setup–versus the legitimate–to demonstrate how easy the site is to spoof, and how ill-advised it had been for Equifax to break it away from its primary company domain. But if it was not a proof-of-conept, the phish Equifax inadvertently promoted could have done a great deal of harm. Sweeting says the fake website has had approximately 200,000 page loads.

“When your social networking profile is tweeting out a phishing link, that is bad news bears,” says Michael Borohovski, the cofounder of the site security company Tinfoil Security.

Equifax also confirmed this week that it had endured another, previously revealed network breach in March, although the company did not provide specifics on what information, if any, was affected. Complicating things even more, a record from Mandiant (the company investigating Equifax’s more recent episode) acquired by the Wall Street Journal suggests that there was another March invasion, probably pulled off from the exact attackers who carried out the mega-breach involving mid-May and July. The technical details are still murky, but the events in March raise new questions about whether Equifax executives who sold nearly $2 million in company stock in early August were aware of the breach when they unloaded the resources. Equifax has stated that they “had no knowledge that an intrusion had occurred at the time they sold their stocks.”

The accumulation of missteps, slow disclosure, and debatable public response with all these millions of innocent customers potentially affected deeply troubles security professionals. “These are all indicators of a business that had a dreadful security culture,” says Tinfoil Security’s Borohovski. “Unfortunately, the only word for it’s negligence.”

And the latest mistakes join a list of additional revelations that Equifax had a disorganized approach to safety, and a naiveté about the potential for a breach. The fact that attackers got into Equifax’s systems through a known vulnerability with a patch available galls security analysts. However, the company also acknowledged that it knew about the patch as it was first released, and had really tried to apply it to all of its systems. This insufficient effort tips at the truly haphazard character of Equifax’s operation. Other anecdotes–such as the electronic platform used by Equifax workers in Argentina which was guarded from the credentials “admin, admin”–only enlarge this picture.

“Equifax sits on the crown jewels of what we consider personally identifying information,” states Jason Glassberg, cofounder of the corporate security and penetration testing company Casaba Security. “You would think a company like this, guarding what they are guarding, would have a heightened sense of consciousness and that clearly was not true.”

‘When your social networking profile is tweeting out a phishing link, that is bad news releases’ –Michael Borohovski, Tinfoil Security

Many experts note that this Equifax breach could represent a turning point in how institutions manage personal data. Though previous massive breaches have prompted some industry-wide changes, they have not has as much potential for menace since the Equifax incident, which may have exposed nearly half of the US population’s Social Security number (not the mention other information) and may put all those people at serious risk of identity theft. Seeing so lots of Equifax’s missteps collectively may act as a warning to the collapse which could eventually happen when security is an afterthought over decades of a corporation’s growth and expansion.

“There is no question a firm like Equifax will be targeted all of the time [by hackers] and that is hard, but all this speaks to bad security practices and a lackadaisical response,” Casaba Security’s Glassberg says. “My expectation is that this actually becomes a watershed moment and opens everyone’s eyes, since it’s astonishing how ridiculous nearly everything Equifax did was.”

The episode has raised awareness about the crucial importance of minimum corporate security, but if regulators and legislators can actually deliver more liability is another matter entirely.


You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Your email address will not be published. Required fields are marked *