The Equifax Breach: Lessons for EU Organisations

Recently, the credit scoring company Equifax revealed it had been the victim of a dramatic breach,
potentially putting the data of up to 143 million US customers at risk. As we watched the story
unfold, things quickly turned from bad to worse. Days after the incident was announced, we learned
of the Apache Struts vulnerability and a huge configuration error in Argentina, and late last week we
discovered that up to 400,000 UK-based customers could be affected: key details behind this are yet
to be made clear.

The Equifax breach was not the biggest incident of its kind in recent years – but it’s certainly one of
the most dangerous. Millions of customers’ sensitive, personal data (including Social Security
numbers) is now at the whim of fraudsters seeking to steal identities. Even more frighteningly, it
took two months for the organisation to confess, meaning individuals were totally oblivious to being
at risk.

With just over eight months to go until new European personal data regulations come into force,
organisations can look to incidents, such as the Equifax breach, to learn some valuable lessons.

Compliance is key

With GDPR legislation in place from 25 th May 2018, keepers of personal data will no longer have the
luxury of taking months to craft a self-serving response to notify customers of a breach. In a GDPR
world, companies will need to provide notification of an incident within 72 hours. Failing to do this,
businesses risk being fined 4% of their global revenue – not to mention multiple, hefty fraud
penalties often demanded by the FCA.

Additionally, Equifax should be a lesson in awareness for all organisations who have become data
businesses. For several years, the limits of IT departments all over Europe have been tested due to
dealing with an overload of regulations, in addition to the constant pressure to ensure networks are
over achieving to meet increasingly high customer experience expectations.

Further complexity equates to further vulnerability. Compliance and performance are now at the top
of operational agendas, but security is still significantly falling behind the increased performance
mandate. As businesses begin to consolidate data centres, or move to the cloud in some instances,
the complexity of their enterprise networks will grow.

It’s crucial that as networks increase in complexity, visibility improves to aid management and
troubleshooting. For example, you wouldn’t shift to dense 10Gb Ethernet or higher network speeds
in order to deal with elevated network demand without making sure you had visibility of the
increased flow of information, would you?

The message for organisations is clear: increased complexity must be approached with increased
security and transparency as to the daily, internal happenings of a network. This does not exclude
third parties: cyber risk underwriters do not necessarily assign a lower score to companies that use
outsourced providers and other third parties to manage infrastructure and take care of, for example,
patching.

Attitudes towards security can often be gauged from the way a company handles third parties and
the quality of this relationship. However, it’s essential that the processes surrounding dealing with
third parties are correctly defined and understood in the first place.

Prepare now, or pay later

GDPR demands that data handlers must implement “security by design and by default”. This means
that systems must be designed from the outset to deliver the right levels of resilience and security.
In this respect, there won’t be any room for maneuver.

The harsh reality is that it’s likely every business will experience a data breach at some point, if they
haven’t already. So when the inevitable happens, in order to be compliant, organisations will need to
know, understand and communicate the breach within the 72 hour ‘critical period’. For this to
happen, they will need to be able to have a transparent view of network activity in real-time, with
the ability to identify the cause of issues quickly and prevent them from escalating further.