More Equifax details emerge as breach count upped to 145.5 million

Mandiant, a cybersecurity organization hired by Equifax to investigate the data breach incident disclosed on September 7, completed a forensic investigation with some key findings. It concluded that information for 2.5 million additional customers in the US was potentially breached, increasing the total number of those affected to 145.5 million.

Mandiant found no evidence that hackers broke into any database outside of the country. However, Mandiant has completed a forensic investigation in the UK and is conducting analysis within the UK’s borders.

Mandiant had estimated that as many as 100,000 Canadian citizens were affected, but upon completion of the audit, reduced that figure to about 8,000. Included in this count is a percentage of Canadian credit cards that were affected.

Equifax scrutiny plays out in Congressional hearing

On Tuesday, October 3, former Equifax CEO Richard Smith testified in a Congressional hearing and revealed some troubling and suspicious information.

Smith admitted that he did not hear about the breach until July 31, even though Equifax detected it on July 29. On August 2 he asked law firm King & Spalding to investigate, but did not request a briefing until August 15, nearly two weeks later. The remaining timeline leading up to his notifying Equifax’s board of the breach on August 22 sounds like a leisurely stroll through the park considering the amount of personal data at stake.

John Kelly, Equifax’s chief legal officer is also under scrutiny since he approved nearly $2 million in stock sales by three executives on August 1 and 2, just days after the breach was detected.

Other findings from Smith’s Congressional testimony include:

  • Equifax’s customer dispute portal contained a vulnerability within its Apache Struts open-source web application. A scanning system did not detect the vulnerability at first. An unnamed person who knew of the system weakness did not report it in time to prevent the cyber crime. Apache patched the system and disclosed details to Equifax on March 6.
  • Equifax did not encrypt sensitive information that was stolen, but rather stored it in plaintext for hackers to read.
  • Smith only mandated security reviews four times a year.
  • The FBI is investigating the breach and Equifax will not rule out stateside cyber attackers.
  • By creating and hosting its breach notification site separately from its secured, trusted website, Equifax may have left itself vulnerable to additional cyber attacks.

On September 29 – the final day of the fiscal year – the Internal Revenue Service (IRS) awarded Equifax a $7.25 million no-bid fraud prevention contract. According to the website, “This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service.” The contract is a sole source order, which means that Equifax is deemed the only company that can fulfill the order.

Not bad for an organization with a highly questionable approach to cybersecurity that exposed the personal data of 145.5 million consumers.

Anyone handling personal data needs to put in place strong cybersecurity measures

Equifax’s role as a responsible credit reporting agency is under scrutiny because of questionable information security management system (ISMS) practices. Any organization that does not maintain a proper ISMS makes themselves more susceptible to a data breach. The repercussions can be lasting and many, including monetary damages, reputational harm, and a loss of trust in the brand.

Don’t put yourself in the same position as Equifax. ISO 27001 provides the regulatory framework for a suitable ISMS. Achieving ISO 27001 accreditation demonstrates to clients and the public that your organization applies the requirements that characterise an all-encompassing ISMS.