After Equifax's multi-million dollar settlement with US authorities relating to its 2017 data breach, issues of cyber security come under the microscope
Last week, “big three” credit rating agency Equifax reached a multi-million dollar agreement with US authorities to settle a case relating to its 2017 data security breach – in which “staggering amounts” of personal information from almost 150 million customers was accessed by hackers.
The Atlanta, Georgia-based credit giant will pay as much as $700m to resolve the case led by the US Federal Trade Commission (FTC), marking the regulator’s biggest ever cyber security settlement deal.
Equifax security measures brought into focus by data breach
The breach brought the issue of digital security within financial services firms charged with safeguarding highly sensitive personal information into sharp focus, and the proactive measures that these firms should be taking to avoid a major security incident.
Big data analysis plays an important role in this, and there have been suggestions that more proactive monitoring of customer complaint data collected by the Consumer Financial Protection Bureau (CFPB) – one of the agencies involved in bringing the case against Equifax – could have identified the breach earlier, and limited the damage caused.
This was the view of Matt Mazzarell, a senior data scientist at US analytics firm Teradata speaking at a conference last year in Las Vegas, who said that spikes in complaints to the CFPB about identity theft offered clues as to what was going on behind the scenes.
He said: “If we look at the data, we could definitely tell there was something going on before the Equifax hack – we just needed analytics to bring it out.
“How couldn’t you have known about the problem around June 2017, when so many people were complaining about their identity being stolen and other types of fraud?
“The CFPB could have asked questions a lot earlier.”
Easier to predict Equifax security breach in hindsight
But whether this kind of data monitoring would have been enough to avert the Equifax data breach is debatable, given the scale and diversity of the cyber security threats out there.
This is also backed up by the FTC allegation that the vulnerability exposed in Equifax’s IT systems was a known issue the company failed to address.
As James Barrett, EMEA senior director at New Zealand-based IT security firm Endace, puts it – “hindsight is a wonderful thing”.
“Retrospectively, you always know what you’re looking for because it’s something that correlates to a breach, or whatever the event might be.
“There are dozens of metrics to monitor – so how do you know which one to keep an eye on?
“Until something goes wrong, you don’t know whether you’ve been monitoring the right thing.”
Endace develops tools and devices to monitor and record the data that passes along IT networks, in a bid to increase visibility and make it easier to identify the cause of a problem when things go wrong.
It helps companies create “a holistic picture” of a security incident on a computer network, in order to contextualise it and provide a “conclusive understanding” to clients of what happened before, during and after an attack.
While Mr Barrett agrees that effective monitoring of consumer complaint data using machine learning could have proved a valuable tool in tackling the Equifax data breach, he believes that as a measure in isolation, it would not have been enough to predict what was to come.
“I’m not sure that you would have put two and two together,” he says.
“The process isn’t really there to link the statistical increase in the number of customer complaints against a cyber-attack.
“Generalising this human level data is really hard, and to do it at such scale is harder still.”
Firms like Equifax need a multi-layered approach to cyber security
For Mr Barrett, the fight against cyber crime demands a multi-layered approach that includes identifying patterns through data analysis, gathering threat intelligence from places like dark web message boards, and network monitoring for things like “reconnaissance phases”, which give clues as to what hackers are targeting.
And as technology grows more advanced and widespread in both company infrastructure and daily life, so too do the ways it can become compromised by those with ill intent.
This multiplicity in vulnerability means the approach to safeguarding against an attack must reflect the variety in potential threats.
Mr Barrett explains: “It’s really difficult to be specific from any kind of early warning data unless you’ve got the wider threat intelligence.
“It’s a challenge affecting every organisation – from the likes of Equifax, to big banks, big government departments, all the way down to accountancy or consultancy firms.
“There are hacking attempts all the time and we are all at risk – and unless there is a significant step-change, things are only going to get worse.
“As technology and devices get more and more complex, they become easier to find holes in, and it’s a lot harder to make sure that you’ve shored up every problem.
“The more complexity there is, the harder it is to protect, and we’ve got to keep getting smarter.”
Equifax ‘failed to implement basic security measures’
The crucial detail, however, in the context of the Equifax breach was that the firm was made aware of the vulnerability in its IT system months before the breach was detected – prompting the FTC’s allegation of “failure to implement basic security measures”.
The regulator claims Equifax was alerted to the “critical security vulnerability affecting its automated consumer interview system (ACIS) database” in March 2017.
It said that even though the firm’s cyber security team ordered the necessary “patches” that would have fixed the flaw in the system, “Equifax did not follow up to ensure the order was carried out by the responsible employees”.
The discovery of suspicious activity and the failure to patch the issue was discovered months later in July, with an investigation revealing that “multiple hackers were able to exploit the ACIS vulnerability”.
They were then able to access administration credentials that allowed them to retrieve “vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network for months”.
In all, hackers stole 147 million names and dates of birth, 145.5 million social security numbers, and 209,000 payment card numbers and expiration dates during the incident.
According to the FTC, this constituted a violation of legislation requiring US financial institutions to “develop, implement, and maintain a comprehensive information security programme to protect the security, confidentiality, and integrity of customer information”.
For Mr Barrett, this basic lapse in security by Equifax was the “absolute key thing” in leading to the data breach in 2017, and that ensuring weaknesses identified in an IT system are patched swiftly and regularly.
“It’s sad that it still boils down to that, but in the end it’s those hygiene factors that are more important than anything else,” he adds.
“This wasn’t some incredibly talented hacker who did something amazing – it was a simple vulnerability to exploit.
“It’s about doing the housekeeping.”