For those of you living under a rock this week, Equifax suffered a major breach in their security, which led to over 143 million records being stolen by attackers. The information held by Equifax is highly sensitive, especially for US citizens, where personal and financial information including SSN (Social Security Numbers), and credit card data were stolen by the attackers. There is the possibility that over 44 million records in the UK and Canada may also be affected.
What might be news to you that this breach happened in May this year with the attackers being undetected by Equifax security teams until July 29th. Initial indications point towards the attacker(s) exploiting a vulnerability in Apache Struts, giving them access to a vast amount of information. What has not been fully confirmed by Equifax is whether the core database which includes credit file reports has also been compromised by the attackers.
So why is this the new gold standard for “how not to do Incident Response”?
There are very many ways Equifax could have handled this breach better, probably more than I can fit into a 700-word article, however, I will try to address the main points here.
What’s interesting, and also disastrous for Equifax is that the business knew about a significant breach in their informational systems, for almost 2 months, before publicly announcing the incident. Now, this alone would be enough to damage any potential empathy from their customers, if they came out with we are a victim too angle.
However, Equifax performed the Incident Response cardinal sin, they protected their own interests before those of their customers they clearly let down, with key shareholders dumping their stock before publicly announcing the breach!
The fact Equifax had put their interests first (or created that perception), this meant that a potential “we’re a victim too” card from a crisis communications perspective was no longer a viable option, consequentially the business created a mob and made themselves a bigger target from hacktivism groups.
When Equifax came out with a message about the breach in security, they created a website in August ironically called Equifaxsecurity2017.com to drive customers to, mainly to check whether their details were included in the incident and some advice on what they should do.
In principle this is a good idea, the reality is that it looked like a phishing website especially the Trustedidpremier.com site where customers could check whether they had been affected by the breach. Both causing confusion from customers who at which point were already in a heightened sense of paranoia.
What Equifax should have done, is notify all their customer by post and have clear and concise message on what the affected customers should do, and most importantly how Equifax is going to protect and compensate their customers on their main website! They had almost 2 months to prepare, so there are no excuses really.
When in a heightened state of security it’s easy to focus on the incident in hand, in fact, most breaches I’ve personally investigated have quickly led to a follow-up breach because everyone is busy trying to work out how they got breached in the first place… all hands to the pump lead to a blinkered approach were obvious holes are missed.
Unfortunately for Equifax, a site in Argentina was taken offline due to another potential breach in security or security configuration issue with the site having and admin username and admin password. With the press hot on the heels on anything related to Equifax, the business cannot afford another mistake, especially relating to PII or credit card information.
How not to undertake IR like Equifax
Equifax could have turned this incident into an opportunity to control the narrative of this breach, but short-sighted strategy and what on the outside seems to be a very immature incident response and crisis communication process has led to the media controlling the message.
When facing into the abyss of a major incident what should you be doing?
If you work in these areas you should be in a stronger position if you are faced with the perfect storm of incidents.
Finally, remember the incident isn’t over until it really is over!
About the author: Stuart Peck, Director of Cyber Security Strategy, ZeroDayLab
From a background of threat intelligence, social engineering, and incident response, Stuart Pecks heads up Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques.
Enjoy Stuart’s talk at Security Scotland Meet Up
(Security Affairs – Equifax, hacking)