Millions of users at US credit company Equifax have been left stunned after the company revealed it had suffered a major data breach. With as many as 139 million customers thought to possibly be at risk, the breach is one of the largest in recent times, and raises yet more questions about security protection at major companies.
So with many users now unsure of whether their details are safe, what has the security industry said about the Equifax data breach?
David Emm, principal security researcher, Kaspersky Lab
“This is yet another case of a breach becoming public long after the incident itself occurred, which underlines the need for regulation. It's to be hoped that the GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and, secondly, notify the ICO of breaches in a timely manner. The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before it becomes a target. Customers that entrust private information to businesses should be safe in the knowledge it is kept in a secure manner – and businesses should use security solutions to significantly mitigate the risk of a successful attack."
“Consumers have no control over the security of their online providers, but they can mitigate the risk of a security breach of an online provider’s systems. We would recommend that everyone uses unique, complex passwords for all their online accounts, and we would also urge people to take advantage of two-factor or two-step authentication where a provider offers this.”
Paul McEvatt, senior cyber threat intelligence manager, Fujitsu
“Cyber-attacks make headlines on a daily basis, and today Equifax has fallen victim. With data becoming a new currency in itself, any organisation that holds data has a target on their backs. These threats are only going to increase exponentially, and as a result no business can afford not to take their data protection and cyber security seriously, or indeed make it their number one priority. We have seen how data breaches do indeed have both reputational and financial ramifications, and in this case, with Social Security numbers, birth dates and addresses being accessed, a lot will need to be done to build up customer trust again.
“What businesses in the UK should take away from this breach is the seriousness of data protection. The implementation of GDPR is going to be upon us before we know it, where businesses will also have to pay regulatory fines on top of any customer fall out, brand damage and stakeholder relations they would have to manage. Organisations need to take these headlines as a warning and use this as an opportunity to get all of their cyber measures in place.
“It’s clear, determined attackers do find ways to breach various layers of defence, so, organisations need to focus on playbook driven approaches and true security analytics, concentrating their efforts on protecting the data and entities that would cause significant damage to the business. It’s key to collect the right logs at the right logging levels, integrated with threat intelligence. This would provide the context and situational awareness, necessary to deal with today’s advanced cyber threats. There must be a clear and well-rehearsed incident management plan for a breach, addressing internal and external communication in addition to containment and recovery activities. Ensuring a compliant business environment: that will help protect the services that we depend on as a nation.”
Ondrej Vlcek, CTO and general manager, consumer, Avast
“It is still not clear what kind of vulnerability was taken advantage of in the Equifax breach, however it is likely it was a leak through a web application flaw. It is unacceptable that credit bureaus which hold so much personal information which they then sell, can allow such a breach to happen and practice poor security hygiene."
"We speculate that the attackers used a SQL injection to gain access. Hackers are consistently searching for these vulnerabilities, and companies, especially those with access to so much sensitive information, need to significantly increase their diligence in maintaining security of their data. This is one of those cases where there is unfortunately really nothing consumers can do except be vigilant. We expect it is only a matter of when, not if, this data appears on the Dark Web market."
"At this point there are a few actions potential victims can take to help ensure they are protected. First closely monitor all email, social, credit card and bank accounts closely for suspicious activities. Second, consider looking into a credit freeze that will stop hackers from using your identity to accrue debt. Also, don't respond directly to emails and other messages notifying you that you're a victim. They may be scams. Instead, open up a new tab and log in directly to the site in question, or call the support center number listed on their site."
Lee Munson, security researcher at Comparitech.com
"The scale of the Equifax breach, if the quoted figure of 143 million compromised records turns out to be accurate, is immense and could have far-reaching consequences for its American customers."
"That the target of this breach is a company that deals in such sensitive information, including credit card numbers and bank account details, highlights the value of personal and financial data to those who would steal it.
"Anyone potentially affected by the breach has some work to do now. While it is not known whether card data was encrypted or not, I suspect it is likely that personal information was easily accessible."
"Given how many people create usernames and passwords based on family names, or still use sites with 'secret questions' to which the answers are inherently personal, a change of passwords across a number of sites may well be in order right now."
"Also, with the same information being an identity thief's goal, regular checks of bank account statements and credit reports will also be the order of the day, though those affected may want to choose a service from a different credit bureau for this purpose!"
"Lastly, as with all breaches, Equifax customers should also be on the lookout for spam and targeted phishing emails which use the event to create convincing lures into worlds of even more hurt for them."
Richard Parris, CEO and chairman, Intercede
"Companies like Equifax are supposed to be the bastions of customer data. Yet, as has worryingly become commonplace today, businesses are continuing to neglect how they protect customer data – and even their own data."
"The right security methods are out there – strong authentication that incorporates multiple levels of authentication such as PIN numbers, devices and biometrics. This makes it much more difficult for cybercriminals to hack into systems. But it appears businesses are getting lazy and lack the volition to make change."
"Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears. Businesses will have no choice but to sit up and listen as GDPR comes into effect next year, but it’s reproachable to see businesses continuing to play fast and loose with our personal information until something bad happens to them."
Andrew Avanessian, COO at Avecto
“Too often, companies focus on features and functions, and layer security on as an afterthought. That must change. Hackers and cyber criminals can quickly exploit any flaw in a web application without too much trouble, and this looks to be the case here.
“Organisations must address these issues and re-focus on the security fundamentals and best practices such as testing, patching and least privilege. Basic security hygiene could have been enough to prevent a breach of this scale from happening. Security is never a one-time investment, it is a journey not a destination, and it requires constant thought, attention and action.
“It’s crucial that those affected stay vigilant, as the details exposed in this incident are enough for a hacker to commit fraudulent acts and even steal personal identities. I’d recommend watching out for emails asking to confirm personal details, or requesting username and password information. If you’re ever unsure, it’s always best to contact a company directly by phone to check that it’s an authentic communication.”