Equifax: A Tale of Caution about Bad Information Security and Compliance Practices

US credit agency, Equifax, have landed in serious hot water recently after a spate of information security and alleged compliance breaches that were uncovered by cyber security researchers, technology news sites, and – potentially – The Federal Trade Commission.

The initial breach, which saw 143 million Americans’ sensitive personal data and financial information potentially compromised, was a result of the company’s failure to ‘patch’ (that is, download the update and fix) a two-month old bug in Apache Struts (the organisation’s web application framework where database libraries and other web development activities are managed). Despite many reports of the bug being exploited for malevolent purposes, Equifax failed to secure the social security numbers, driving licence details, and other personal financial information of millions of Americans – the breach also revealed the names, dates of birth, email addresses and telephone numbers of approximately 400,000 UK consumers.

An update which patched the vulnerability, known as: Apache Struts CVE-2017-5638, was issued on 6th March 2017, however the agency’s website was breached via the same vulnerability in mid-May of the same year. For this reason, Equifax is accused of gross negligence for failing to protect their customers and knowingly leaving their data vulnerable to cyber-attacks.

Sadly, Equifax’s history of imprudence doesn’t end here. At its Argentinian base, a computerised system holding similarly sensitive data about South American customers, was configured to allow privileged access and control with the laughably easy-to-crack username and password combination: ‘admin/admin’. The site, which is actually an online tool used by employees of the company, was temporarily shut down following the public exposure of its weak credentials, and the following statement released:

“We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region.”

However, Hold Security (the cyber security firm responsible for uncovering the admin username and password) have more to add. They report that, using the original admin log-in, they were able to download more than 100 username/password combinations belonging to the organisation’s Argentinian employees – most of which were also matching words made up of the workers’ forename or surname. Additionally, from the main page of the portal, Hold Security report being able to access 715 pages worth of customer complaints and credit report disputes, all of which list the Argentinian equivalent of the customers’ social security number.

As if to add insult to injury, thirty-six US senators have recently called for a federal investigation into how three of Equifax’s senior executives came to sell nearly $2m worth of shares just days after the company’s initial data breach was uncovered – and before the incident was publicly reported.

News of the sales has drawn worldwide criticism, although the company’s official statement is that the three executives ‘had no knowledge that an intrusion had occurred’ at the time the shares were sold.

Whilst this may seem improbable, in order to prove insider trading took place, prosecutors would have to show that the executives knew about the scandal when they decided to sell their stock – a tough task to prove in court according to the experts. Nevertheless, as Brandon L. Garrett, a professor at the University of Virginia School of Law, suggests, this is ‘the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.’

VinciWorks is a leading provider of compliance education and risk management solutions. We have a comprehensive suite of cyber-security and compliance eLearning courses, supported with brand-on-demand posters, communication tools, and much more.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.