While we thought the UK fine for Equifax was the last word on the topic for 2018, the US House of Representatives Committee on Oversight and Government Reform released its report into the 2017 Equifax data breach on which we have written before here, and concluded that:
"Equifax failed to fully appreciate and mitigate its cyber security risks. Had the company taken action to address its observable security issues prior to the cyber-attack, the data breach could have been prevented".
This damning report finds that the breach was entirely preventable. It also made some key points which are salient for others who hold large volumes of sensitive data.
The US House of Representatives took the view that entities who hold large amounts of sensitive personal data are a high value target for cyber criminals and consequently have a heightened responsibility to protect that data by providing best in class data security. That means that whatever the size of the organisation, it needs to implement an adequate security program to protect that data.
In terms of dealing with patches for known vulnerabilities, Equifax did not fully patch its systems. One of the findings of the review was that attackers who gained access sent 9,000 queries to 48 separate databases successfully locating personal information 265 times and managed to exfiltrate data without Equifax knowing. One of the reasons the attackers were successful was because Equifax had an expired security certificate for 19 months. It was when the expired certificate was updated that the suspicious traffic was noticed.
The report was found that Equifax had allowed over 300 security certificates to expire including 79 that related to the monitoring of business critical domains.
The review noted the complexity of the IT environment due to an aggressive growth strategy over a 12 year period meant that there were multiple legacy systems operating alongside one another and the failure to ensure that the investment in security for those systems was sufficient. Equifax failed to implement an adequate security program to deal with this complexity.
The review also pointed to a lack of accountability and no clear lines of authority within Equifax's IT management and reporting structure which allowed a gap in reporting so that the attack was not dealt with properly.
Finally, once Equifax had engaged with a cyber security firm to conduct the forensic investigation and announced the breach to the public, knowing that 143 million consumers had been affected, the dedicated breach website and call centre it had prepared were immediately overwhelmed and unable to give consumers timely information.
The report highlights once again that failing to prepare is preparing to fail.
The team at Holding Redlich can assist you to prepare for such eventualities, but putting in place strategies to mitigate risk and preparing to respond to breaches when they occur.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
