It has been five years since Equifax’s infamous 2017 breach, where failures on multiple levels led to the exposure of personally identifiable information of approximately 143 million Americans. While this breach doesn’t even make the list of the 15 biggest data breaches of the 21st century, there is something about this particular incident that has continued to stick with people for years after. In this blog, we’ll examine why this breach resonated with so many people and how you can use this information to improve your own incident handling and avoid breach infamy.
A Brief Overview of a Mishandled Vulnerability
On March 8, 2017, US-CERT alerted the public about an Apache Struts vulnerability that, when exploited by a remote hacker, could allow them to take control of your system. In an ideal world, your security program would have received this alert in a bulletin from a trusted source, such as US-CERT or SANS Internet Storm Center, which could then be acted upon through your vulnerability and patch management processes to ensure your systems stayed secure.
That’s not what happened at Equifax. Two days after it was made public, hackers exploited the Apache Struts vulnerability and breached Equifax’s customer dispute portal, compromising several servers. The hackers returned on May 13, obtaining login credentials that allowed them to access numerous servers and multiple databases containing personally identifiable information (PII) which they harvested over a period of 76 days without being detected.
Equifax finally discovered the breach on July 29 when they renewed an encryption certificate that had expired 10 months prior and quickly discovered suspicious traffic indicating that they had a breach on their hands. The company took action to contain the intrusion, contacted law enforcement and launched a full investigation with a private firm to understand the impact of the breach. It was through this investigation that they discovered that the names, social security numbers, birthdates and addresses of over 143 million Americans had been exfiltrated and were out in the wild.
How You Respond Can Define Your Organization
Many articles have been written about the technical deficiencies that contributed to the Equifax breach, and rightly so. Sharing information about what went wrong stresses the importance of having best practices in place, such as effective vulnerability and patch management programs, network segmentation and certificate renewal processes. But these types of issues aren’t unique to this particular breach. According to Verizon’s 2022 Data Breach Investigation Report, servers are the most targeted asset in breaches. Threat actors target web applications and use stolen credentials in over 40% of incidents and breaches, and take advantage of misconfigurations, which are responsible for 13% of confirmed breaches.2
The big news about the Equifax breach wasn’t necessarily the breach itself, it was what happened afterwards. When Equifax finally went public about the breach, former CEO Rick Smith released a video that included very little information as to the actual cause or impact of the breach, apologizing for the cyber incident without actually accepting responsibility and stating, “Equifax will not be defined by this incident, but rather, by how we respond.”
Equifax made the breach public on September 8. That’s 41 days after they discovered it and 118 days after hackers initially began exfiltrating data from their servers.
To handle questions about the breach, Equifax made a dedicated website with a URL that looked suspiciously like a phishing site. So much so that someone made a fake Equifax site which was accidentally tweeted by Equifax several times before they discovered the error. The real Equifax website was plagued with errors and was flagged repeatedly as a phishing site. It would also tell people they’d been impacted by the hack even when they entered bogus information, and initially implied that if you entered your information to see if you were affected, you were giving up your right to sue Equifax (this was later walked back by Equifax).
Equifax’s solution was to offer free credit-monitoring services to every U.S. consumer, which was criticized by many as woefully inadequate and a way to sell consumer protection plans to consumers when their free services expire.
After their bungled response, additional details began surfacing about what actually caused the breach, including the report from the U.S. Government Accountability Office that was released in August 2018. In addition, it was found that several executives had sold their company stock after the breach was discovered but before the company had made it public. Equifax did the traditional breach dance by having their CEO step down and hiring a new CISO, but it didn’t change the fact that the company is still eating Rick Smith’s words five years later … Equifax has been largely defined by how they responded when it mattered most.
How You Respond in a Crisis Matters
If you’ve worked in security long enough, you’re familiar with incident response calls that can come at any hour of the day. I still vividly remember pacing outside my daughter’s dance studio in the dead of winter, handling a cyber incident while my daughter had ballet practice inside.
It can be challenging to try and juggle everything that needs to happen when you’re moving a thousand miles a minute and the pressure is on, whether that’s coordinating your technical response, making change management decisions or communicating with your stakeholders in the midst of a crisis. Tabletop exercises can be a great way to refine your incident response processes, but they tend to focus on how well you execute your technical response in a hypothetical scenario, which then informs how you build your incident response plans. The problem is that your technical response is only part of your incident response strategy.
How your organization responds when it discovers a breach or is faced with a similar crisis matters … a lot. As soon as your incident or breach information is made public, people are watching to see how your organization responds. They’re looking to see:
- Are you acknowledging the incident or are you choosing to say nothing and hope it goes away?
- Are you apologizing for the incident or shifting the blame?
- If you do apologize, are you taking responsibility for the incident or are you avoiding accountability?
- Are you making ethical decisions and acting with integrity, or are you making decisions based on your own self-interests instead of those of your customers?
With all of those eyeballs on you, you can bet that people will notice, comment and share everything they see, and in this digital era, your response (or lack thereof) can go viral before you can blink. And when you’re a smaller organization, how you handle a breach can be a pivotal point when your business depends on gaining and keeping your customer’s trust.
How Well You Respond Matters Even More
In this complex threat environment, it’s not a question of if you’ll encounter cyber threats but when it will happen. If you’ve been left vulnerable by natural disasters or other threats, you’re a prime target for bad actors. This is something Tricia Scherer dives into in her blog, After a Hurricane Comes a Rainbow…of Threats. You need to make sure you’re prepared for the inevitable by taking steps now to address gaps you have in your response.
You might have a documented incident response plan. Heck, you might even have some playbooks available to address cyber threats quickly. But as we’ve seen, how you respond goes beyond just handling the technical portion of the crisis.
- Does your plan include or reference a communication plan?
- Do you know what type of response your organization should have during a crisis, and how will you effectively communicate this to the public in a way that feels genuine, humble and honest?
- Have you taken steps to ensure that your response is based on your organization’s values?
- Have key members of your organization received crisis response training?
- Do you have templated responses available so that you can respond quickly when things are going sideways?
Just as complying with a framework doesn’t mean your organization is secure, focusing on how you’re responding isn’t nearly as effective as focusing on how well you’re responding. Shifting your perspective and taking a more strategic, risk-based approach will help you get ahead of threats and better protect your organization.
Tips For How Your Organization Can Handle Future Threats and Incidents
- Make sure you have plans in place that you can use during a crisis, such as an Incident Response Plan, Cyber Breach Response Plan and Cybersecurity Playbooks. These take the guesswork out of executing a swift and effective response
- Invest time into creating a Crisis Communication Plan. This document should provide guidelines to use during an emergency and can include step-by-step procedures for responding during a crisis, prepared statements, how and when to communicate to your stakeholders, strategies for communicating in different scenarios and organizational guidelines for managing a crisis
- Understand how your response can impact people’s perception of your organization and get comfortable with apologizing
- Be familiar with breach notification requirements your organization may be beholden to, whether that’s the HIPAA Breach Notification Rule, state-specific mandates or other requirements that apply to your data types, industry, operating location, product line or organizational structure
- Create a cyber assurance program that focuses on your Cyber Incident Response so that you can understand the threats and risks your organization faces and ensure that you have controls in place that effectively lower your residual risk
The Reciprocity® ROAR Platform gives you the ability to see, understand and take action on your IT and cyber risks. With a unified, real-time view of risk and compliance-framed around your business priorities — you’ll have the contextual insight needed to easily and clearly communicate with key stakeholders to make smart, strategic decisions that will protect your enterprise, systems and data, earning the trust of your customers, partners and employees.
Learn more about the Reciprocity® ROAR Platform, or schedule a free demo today.