The European Commission v. the Equifax Breach
By John Clamp.
Once more there’s a breach; this time an Equifax Breach.
Another day, another security disaster at another major data controller. Hackers who gained access to the network of credit agency Equifax walked away with the social security details of 143 million Americans. That’s almost half the entire population of the United States. 400,000 Britons and 100,000 Canadians also had details, including bank account numbers, stolen.
Here at Seorw.com we thought we’d do a thought experiment on the Equifax breach. We’ll look at the possible sanctions Equifax may suffer as a result of the hack, and how things might have played out if the EU’s General Data Protection Regulation (GDPR) had already been in force.
Equifax has always been one data breach away from disaster, as it’s one of the world’s largest repositories of sensitive financial data. For six months hackers were inside the financial organization’s systems, before taking possession of the data they stole in May this year. The hack was not discovered until July. Equifax may well end up paying a fine in any case, but what might have happened if the hack had taken place next June, after the date the GDPR begins to be enforced?
Much revolves around the question of whether Equifax was negligent or willfully exposed itself to a possible security breach. Where there is evidence of this, the GDPR will have wide powers to fine companies as well as imposing sanctions that include preventing the company from operating within the European Union.
Evidence has emerged that Equifax did indeed take its eye off the ball. At the very time the company was being penetrated, it was in a dispute with its independent security contractor Mandiant. By the time the two companies had settled their differences, hackers had installed no less than 30 ‘web shells’ inside Equifax’s systems, any one of which was enough to give them unfettered access to sensitive data held by the company.
These insertions were made through a vulnerability in Apache Struts, a much-used backend software for web applications. The flaw was discovered by Chinese cybersecurity researcher Nike Zheng, who informed Apache of the issue. The software company released a fix on March 6 this year. Does that absolve Equifax? Not a lot. It’s fair comment to say that any major data controller (to use the technical term), especially one that hold data as sensitive as that held by Equifax, should be immediately on top of any vulnerabilities and bug fixes made public, and which are relevant to its systems, as this one was.
The original ‘entry team’ of hackers, thought to be based in China, handed their work off to more experienced cyberthieves. A number of observers say that this fact may point to the involvement of state actors, and some have fingered the Chinese. However, U.S. security sources told Bloomberg that there is not yet quite enough evidence to confirm this, and have indicated that a different state, rather than China may be involved. Full details are yet to emerge.
The Bloomberg report, using sources familiar with both the U.S. Federal and the Equifax Breach internal investigation, reveals that a dispute between Equifax and Mandiant at the time of the breach last year left the company’s systems vulnerable because it caused delays in a projected survey of potential weaknesses in Equifax’s cyberarmor. The hiatus allowed the hackers to mine Equifax’s data for its most valuable treasure: details of the financial status of an unknown number of high-net-value individuals.
There is, too, evidence that points to a more general laxity over data security standards at Equifax. Steven VanWieren, the company’s former vice president of data quality, who left Equifax in 2012 after 15 years, posted the following on LinkedIn once the Equifax breach became public: ‘It bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer’s personally identifiable information.’
In the end, the hackers extracted so much data they had to break it up into bite-sized chunks that would not set off Equifax’s data security alarms, which can be triggered by large data outflows.
The GDPR, which comes into force in May next year, stipulates that where it may impose a financial penalty, the seriousness and size of the hack should be taken into account. The Equifax hack is an elephant on both counts. Size: absolutely ginormous. Seriousness: extreme. The data stolen from the credit agency is some of the most sensitive that can be held by a ‘data controller’ such as Equifax, comprising vast quantities of financial and personal information.
Any sanction or penalty the GDPR would have imposed on Equifax would most certainly have looked at the comments of Steven VanWieren. If his allegations are true (bear in mind that he’s not stated them under oath), the alleged laxity contained in his comments would be a severely aggravating feature of the case. The GDPR insists that all reasonable measures are taken to protect sensitive information, including passwords and internal network users’ log-in details. If what VanWieren says is true, even a cursory data security audit of the kind the GDPR requires would have sounded the alarm.
Economy of scale
Given the Mandiant kerfuffle and the allegations of VanWieren, Equifax could be accused, at the very least, of not prioritizing data security over other concerns. Under the upcoming GDPR regulations, this makes the breach a very serious one indeed. The scale, too, is mind-boggling, since virtually every American citizen of working age has had sensitive details stolen.
It’s a certainty that European citizens’ details are included in the haul. Data on almost half a million Britons is, and as of this moment, the U.K. remains an EU member. The huge hack has already brought down Equifax’s chief executive officer, Richard Smith, and in true American litigious style, lawsuits have already been filed by some of those affected. One commentator, University of Michigan business professor Erik Gordon, believes the company will have to stump up ‘an amount that has a “b” in it’ to settle all the disputes and/or pay whatever fine results.
It’s likely that if the breach had happened a year hence, Equifax might have been facing the ultimate sanction: a fine of four percent of its annual turnover. Given that the company makes $3.1 billion each year, that fine would total $124 million: hardly small beer. Individual claims on the company will certainly run into the hundreds of millions of dollars, and it will take some time before we know the sort of sanctions U.S. government agencies will impose on Equifax.
One other concern I’d have is that unless we human beings get our house in order, computer systems with AI capabilities (however basic) might come to the correct conclusion: that humans who work in offices are useless at cyber hygiene. They don’t change passwords, they use ones that are easy to crack, they give their log-in details to friends, they open emails they shouldn’t, and they leave vulnerabilities in their networks. Any AI computer with even a modicum of self-respect would come to the (correct) conclusion that humans are not to be trusted when it comes to preventing cybersecurity breaches. Thus they’ll likely work on their own solution.
Meanwhile, hacks get more serious, not less, as time goes on. Ian Levy, the technical director of the UK’s National Cybersecurity Centre, has warned that a so-called ‘level 1’ cyber attack (one that needs a national-level response) is a virtual certainty, and sometime soon. If you’re a cybersecurity professional, your short- to medium-term career prospects should be good (up until the point at which AI takes over, that is).
Cybersecurity wonk Dan Kaminsky believes that data security is too important to be left to the market. In his keynote speech at last year’s Black Hat hackers’ conference, he called for the creation of a federal agency similar to the National Institutes for Health to monitor the nation’s cyberhealth. What is needed, he argued, is an agency capable of creating ‘engineering solutions to the real-world security problems that we have.
‘It can’t just be two guys. [We] need a pile of nerds to be able to work for on this ten years. We can support health and energy and roads and cars, but somehow we can’t support the thing that is driving our economy right now? That’s crazy.’
When it comes to cash and fraud, many are finding that the big companies to whom they entrust their information are simply not up to snuff. We may find that in the end, we’ll have to take responsibility for the security of our most sensitive data ourselves. That’s because we’d be much more highly motivated to ensure our own security than big corporations are to protect the data they hold on their millions of ‘data subjects’. No doubt at some point the tech market will come up with a solution to his key issue, and let’s hope it’s one that enables us as individuals, to take control.
If there’s any justice, then there’s one currency that Equifax may have used up entirely: the trust of its clients, and the trust of the general public.
If you’re wondering what you should do about the Equifax data breach, see the US Federal Trade Commission’s recommendation here.
We’ll be writing more about The EU’s General Data Protection Regulation and how to protect your business real soon. Enter your email address and first name below so you never miss an article. We’ll let you know every time we post something new.