We’re All Going to Pay for Equifax


Much remains to be uncovered – or revealed publicly – about the breach of personal data at Equifax. One thing is certain: we will be hearing a lot more about Equifax in the coming months.

Unfortunately, the escalating threat environment and circumstances that led to the breach are not new. Just from what is apparent to date, it was the lack of appropriate coordination of technology, people and processes that resulted in the theft of 143 million personal records.

  • For whatever reason, failure to patch known vulnerability CVE-2017-5638.
  • The personal data of 400,000 British customers were exposed due to a “process failure
  • Sending concerned citizens to a phishing site.

So what can we anticipate from here? There are some earlier examples and similar patterns.

The 2012 Ababil attacks on U.S. financial institutions were also seen as a watershed event. These attacks stood out at the time for a number of reasons. They involved a mix of application layer DDoS attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols. They were believed to be state sponsored. Target companies were announced in advance and the campaign involved simultaneous attacks, at high bandwidth, on multiple companies in the same vertical.

And though the wheels of government may turn slowly, they continue to turn. It so happens that in the week following the announcement of the Equifax breach the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced actions taken against the perpetrators of the Ababil attacks. Earlier this month (again, the slowly turning wheels of government), came the enactment of the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500). Several of the provisions of 23 NYCRR Part 500 were initially proposed post-Abibal.

In wake of Equifax we are very likely to see more cyber-attack preparedness attention from lawmakers and regulators. Governments across the globe have been encouraged to increase oversight, and they already know their best hammer is financial penalties. And consider: the Ababil attacks were by and large successfully mitigated, while the Equifax breach is a still unfolding personal information disaster.

Under the EU’s General Data Protection Regulation (GDPR), firms could be fined up to 4% of their global revenue if they suffer a breach. Less well known, GDPR Article 82, Right to Compensation and Liability, establishes “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” GDPR penalty enforcement begins May of 2018. Under the EU Network and Information Systems (NIS) Directive – separate from GDPR – organizations deemed non-compliant could suffer the same penalties, up to 4% of revenue.

It is important to note the reach of this and other regulations. Geographic location of your business has become virtually meaningless. You do not have to be physically located in Europe to be subject to GDPR. Like the 23 NYCRR Part 500 regulation, the GDPR explicitly encompasses third-party “processors” of personal data no matter where you are located and no matter what industry you are in.

Increasing regulations are also expanding beyond the security of personal data, to include the integrity, availability and resilience of critical infrastructure such as financial services, energy companies, water, transportation, information services and government organizations.

The Equifax breach was not the first, nor will it be the last. History suggests that yet again, perhaps sooner rather than later, we will be seeing more oversight, regulations and potential penalties.

As a consumer, I say GOOD. Businesses that are lax in their security posture and preparedness, especially those entrusted with our most personal information, should pay a heavy price. As someone in the security business I say…well, I’m not sure that’s such a great idea. It depends on what rules and regulations come out. If we end up with a collection of different state and federal and EU-wide regulations, it could become a maze of confusion. Nobody will benefit if all aspects of security are driven by compliance requirements.

We’re all going to pay for the Equifax breach. The question is, how much? Finding the right balance in a time of widespread consumer and political outrage is going to be a very difficult task indeed. Almost as difficult as doing basic systems patching, apparently.

To learn more about the adversaries targeting your business, check out this fascinating paper from 451 Research titled, Tech Industry Doppelgangers: Campaign Innovation in the World of Cybercrime.