When security measures don’t
Houston, we have a problem
October 9th 2017
Another day, another data breach of momentous proportions.
This time a cyberattack on credit scoring firm Equifax means the personal details of 143m Americans are thought to have been illegally accessed, together with data on 400,000 Brits.
So what happens next? Reflecting just how seriously the authorities regard breaches and the far-reaching responsibilities of those who hold personal data, Equifax is now the focus of a criminal investigation.
In Quartz article The complete guide to the Equifax breach, journalist Karen Hao writes: “The company discovered the breach on July 29 and chose not to publicly disclose it until last week. Adding insult to injury, three Equifax executives sold nearly $2 million in company stock before the announcement. The company maintains that its executives ‘had no knowledge that an intrusion had occurred at the time they sold their shares.’ Perhaps unsurprisingly, Equifax is now under federal investigation…two of its security and information executives are retiring, effective immediately.”
Equifax could be in very deep water. In Wired’s The colossal Equifax data breach has hit 400,000 UK customers, Matt Burgess reports the firm has already admitted they are partly at fault: “A press statement from Equifax Ltd, the UK branch of the firm, said it had ‘regrettably’ found that people's information could have been accessed when one of its files from the UK was transferred to the US. This file was on the hacked systems…The UK customer data was being stored in the US for five years ‘due to a process failure’, the company's statement explains. The issue was only corrected in 2016 but had been in place since 2011. But why were data sharing processes broken for five years?”
That’s a crucial question. Next year sees the introduction of the General Data Protection Regulation (GDPR), which means organisations stand to face massive fines for failing to protect data adequately. Getting rid of data that is no longer being used is a key part of keeping on the right side of the law. Already the current Data Protection Act 1998 states data must be kept for “no longer than absolutely necessary”.
Insights has covered the implications of data protection law before. In our article GDPR: Have you got it sussed? Virgin Media Business security expert Dave Sirignano issued a stark warning to organisations holding personal data: “GDPR comes into effect from 25 May, 2018. If you suffer a breach after the onset of GDPR and it’s found that you haven’t complied, you are liable to be fined. This can be up to 4% of global turnover, so it’s extremely important to comply… under GDPR any losses of availability must be recovered as soon as possible. All this is a good thing for everyone. If you still go on to suffer a breach, but have documented your processes and done everything expected, my understanding is that your fine will reflect the efforts you’ve gone to.”
That will be of little consolation to Equifax, which has already admitted to some shortcomings in its processes. If, as could be the case under GDPR, Equifax were to face a fine of 4% of global turnover, the impact would be crippling.
In Insights article The £34bn cyber attack, Dave Sirignano gave his advice for how to avoid putting valued customers in such a position. To summarise, he said:
1. Make security a board agenda so that CEOs are aware of any issues and start delegating responsibility for cyber security.
2. Develop a cyber strategy that includes proactive security measures.
3. Incorporate security into the company’s risk management framework while also compiling an asset register and conducting a basic risk assessment on valuable assets.
4. Develop best practice policies and procedures. For guidance look at the new National Cyber Security Centre rules on passwords and basic security.
5. Think about security in your IT and business procurements. Third parties are a significant source of breaches, so make sure security is part of your due diligence process.
Back on Wired, How to protect yourself from that massive Equifax breach points towards Equifax’s own website for those who fear they might have been impacted. Meanwhile there’s been no indication of who was behind the breach. And in today’s climate, where organisations are duty bound to adequately protect personal data, it’s essentially beside the point.