One of the most serious corporate data breaches in history was the September 2017 breach involving Equifax Inc., the consumer credit reporting agency located in the United States of America. This breach followed a cyber-attack on their systems in May 2017, that exposed personal information belonging to 147 million people globally, and up to 15.2 million people in the United Kingdom, to hackers. The data which was exposed included the names, dates of birth, email addresses, telephone numbers and sometimes even payment card details of data subjects. As a result, the Information Commissioner’s Office (ICO) has now issued a heavy fine to Equifax as a response. Organisations who wish to avoid fines and penalties like this need to proactively ensure their cyber-security defences are up to scratch.
In addition to the quantity of personal data exposed, this case is important because Equifax were afforded plenty of opportunity to prevent this breach from even occurring in the first place. A vulnerability which resided in a web-based, Java development application used by Equifax (Apache Struts 2) had already been identified by developers, The Apache Software Foundation in March 2017. The Apache Software Foundation issued instructions on how to apply an emergency patch to remedy this vulnerability within days of its discovery, recommending a version update to either Apache Struts 2.3.32 or 2.5.10. However, at the time of the Equifax breach in mid-May 2017, an earlier version of Struts, which still contained the vulnerability, was present on their systems.
Following its report, the ICO has issued a £500,000 penalty enforcement fine (the maximum under the previous Data Protection Act – Equifax Ltd. was fined under the previous Data Protection Act because at the time of the breach, the GDPR was not yet in force) to the UK branch of the company, Equifax Ltd. for their multiple failures to protect personal information as a result of the cyber-attack. Whilst Equifax were fined under the previous Data Protection Act 1998, it is likely that a breach of this magnitude would have attracted a far greater fine under the new Regulation (EU) 2016/679 (GDPR) (up to €20 million, or 4% global annual turnover). Criticisms from the ICO’s report took aim at the fact that personal information was kept for far longer than necessary and stored in locations susceptible to attack.
The importance of general cyber-security and patch management
Employing a robust patch-management system is a simple, yet hugely-effective manner to prevent low-level attacks. Some initial steps are:
- The designation of an individual who will oversee and take responsibility for the overall patch management process. This should ideally be a Chief Technical Officer (CTO) or a Chief Information Security Officer (CISO) with the relevant experience and qualifications;
- Where possible, ensure devices have an “auto-update” function enabled. This will ensure patches and security updates are automatically applied when they are made available, reducing the time-window of the device running older, outdated software;
- For systems which have no “auto-update” feature (such as servers), ensure there is a regular maintenance schedule in place to periodically check and deploy any updates which may be available. This schedule should be implemented and maintained by the CTO/CISO;
- Conduct regular penetration testing, this is a controlled form of hacking to see where your own weaknesses and vulnerabilities are. Any weaknesses or vulnerabilities discovered should be remedied;
- Ensure that the operating systems (OS) for the devices your organisation uses are still supported by the developer and subject to regular security updates. For example, Windows XP is still widely used, despite official support for the OS ending in 2014;
- Avoid using unlicensed and unsupported software which you no longer receive updates for;
- In extreme circumstances (such as the Equifax breach), the CTO/CISO should be able to enact an emergency patch procedure to fix dangerous vulnerabilities outside the regular maintenance schedule.
On a positive note, some of the above steps have already been taken by Equifax themselves in a major organisation-wide cyber-security overhaul. It is reported that in the year since the breach, around USD $200 Million has been invested into cyber-security as well as the appointment of a new heavyweight CISO, Mr Jamil Farshchi, who boasts an impressive resumé of managing various other high-profile cyber-security incidents.
The £500,000 fine issued by the ICO may seem significant at a glance but the damage caused by the breach extended far beyond the fine. In the two trading days following the announcement of the breach, share price of Equifax Inc. had fallen 20.7%, wiping $3.5 billion off the market value of the company. Furthermore, over 30 lawsuits were filed against the company, with 25 of them being in the federal courts as well as employees being investigated for insider trading due to offloading shares immediately prior to the announcement of the breach.
Organisations should also be aware that since the GDPR came into force in May 2018, the cap of a £500,000 fine under the previous Data Protection Act has been now replaced with a much more punitive percent-based method of penalty. This only underlines the necessity to commit to a robust cyber-security regime.
The reputational damage caused to Equifax as a result of this breach cannot be understated. Equifax is now a name associated with recklessness and distrust. However, their new commitment to ensuring their cyber-security systems are robust is the first step on a long path to restoring consumer confidence.