Patch your software. Segment your network. Monitor for intruders. According to tech experts, those are security basics for businesses of any size. But when you are industry giant Equifax – a company in possession of staggering amounts of highly confidential information about more than 200 million Americans – it’s almost unthinkable not to implement those fundamental protections. An FTC, CFPB, and State AG settlement of at least $575 million illustrates the injury to consumers when companies ignore reasonably foreseeable (and preventable) threats to sensitive data. Read on for security tips for your business and what consumers can do to get compensation for their losses and sign up for free credit monitoring.
The Equifax data breach has been in the headlines, but what happened behind the scenes? According to the complaint, in March 2017, US-CERT – Homeland Security’s cyber experts – alerted Equifax and other companies about a critical security vulnerability in open-source software used to build Java web applications. The alert warned anyone using a vulnerable version of the software to update it immediately to a free patched version. It didn’t take long before the press reported that hackers had already started to exploit the vulnerability.
Equifax’s security team got the US-CERT alert on March 9, 2017, and sent it to more than 400 employees with instructions that the staffers responsible for the affected software should patch it within 48 hours, as required by the company’s Patch Management Policy. Within a week, Equifax performed a scan intended to search for vulnerable forms of the software remaining on its network. But the scan Equifax conducted wasn’t up to the task, which ultimately proved devastating to consumers. The lawsuit alleges that Equifax didn’t detect the “open sesame” vulnerability in its system for months.
How sensitive was the data stored on the ACIS portal? The hack took place in the portal where Equifax collected information about consumer disputes, including documentation uploaded by consumers. In addition, Equifax used that platform for consumer credit freezes, fraud alerts, and even requests for a free annual credit report. Thus, millions of consumers interacted with the ACIS portal every year. The complaint outlines the specifics, but suffice it to say that for hackers looking for Social Security numbers, dates of birth, credit card numbers, expiration dates, and the like, the data on ACIS was a gold mine. According to Equifax’s forensic analysis, attackers were able to steal (among other things) approximately 147 million names and dates of birth, 145 million Social Security numbers, and 209,000 credit and debit card numbers and expiration dates.
Considering the staggering breadth of this breach, you should assume that your personal data has been compromised. We urge you to set up credit monitoring for yourself and file a claim with Equifax for their failure to protect your information. Visit https://eligibility.equifaxbreachsettlement.com/en/eligibility to determine if your information, or the information of a minor in your household, was compromised and ftc.gov/equifax (also available in Spanish) for information about how to apply for compensation.
The settlement requires Equifax to pay at least $300 million to a fund that will provide affected consumers with credit monitoring services, compensate people who bought credit or identity monitoring services from Equifax, and reimburse consumers for out-of-pocket expenses incurred as a result of the 2017 data breach. Equifax will add up to $125 million more to the fund if the initial payment isn’t enough to compensate consumers for their losses. Equifax also will pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil penalty to the CFPB.
The Equifax settlement is a study in how basic security missteps can have staggering consequences. Here are tips your company can take from the case – according to the FTC’s brochure, Start with Security.
“Update and patch third-party software.” Companies should treat a security warning from US-CERT with the utmost seriousness. Equifax’s 48-hour Patch Management Policy may have looked good on paper, but paper can’t patch a critical software vulnerability. Of course, you should tell your IT team to implement appropriate patches and fixes. But you also need a belt-and-suspenders system to make sure your company follows through effectively.
“Ensure proper configuration.” There’s nothing inherently wrong with using an automated vulnerability scan, but if it’s not set up to know where to look, it’s just another collection of zeros and ones. The complaint alleges that Equifax compounded the problem by not maintaining an accurate inventory of what systems ran what software – a fundamental practice that would have made it easier to find the vulnerability in the ACIS platform.
“Monitor activity on your network.” Who’s coming in and what’s going out? That’s what an effective intrusion detection tool asks when it senses unauthorized activity. An effective system of intrusion detection could have helped Equifax detect the vulnerability sooner, thereby reducing the number of affected consumers.
“Segment your network.” The idea behind ships’ watertight compartments is that even if one portion of the structure sustains damage, the entire vessel won’t go under. Segmenting your network – storing sensitive data in separate secure places on your system – can have a similar mitigating effect. Even if an attacker sneaks into one part of your system, an appropriately segmented network can help prevent a data oops from turning into a full- fledged OMG.
If you would like to consult with Setliff Law regarding your business’ privacy and security practices or an alleged claim against you for failure to protect sensitive, private information please contact Steve Setliff at (804) 377-1261, email@example.com, or Megan Wagner at (804) 377-1275 or firstname.lastname@example.org