SEC, Equifax breaches highlight steps orgs should avoid in breach disclosure

Serious missteps in how Equifax is handling its breach should inform healthcare organizations on what not to do it if happens to them.
By Jessica Davis
02:43 PM
Share
Equifax hack

In what’s being called one of the worst breaches in U.S. history, the Equifax breach of about 143 million records is being marked by some serious missteps.

Hackers managed to pilfer Social Security numbers, driver’s licenses and credit card numbers for some, in addition to other sensitive details of a large portion of the population. But what’s most concerning is how the company is handling the breach.

It’s also important to note this is the second breach for Equifax this year. In May, the company notified the public that hackers exploited Equifax TALX payroll division between April 2016 and March 2017. A flaw allowed hackers to reset the 4-digit PIN numbers used by payroll managers, by answering a few simple questions.

Bumbling through breach reporting

First, officials discovered the breach on July 29, which began in May 2017, and officials quickly plugged the security hole. However, the hackers exploited an Apache Struts vulnerability, which Apache released a patch for in March. This suggests Equifax failed to install the security updates.

Apache powers both front- and back-end web applications, including Equifax’s public website.

To Kris Lovejoy, founder and CEO, BluVector, a security firm, while the lack of patching is concerning, it’s not surprising.

“It’s easy to say, there’s a patch you should have patched. But sometimes it’s not possible,” Lovejoy said.

There are times where critical patches can actually disrupt how a product works. Not only that, but there are a multitude of patches released on a daily basis, which, Lovejoy explained, can make patching overwhelming.

However, this doesn’t mean Equifax should get a pass.

“It’s not a failure of patching, but an error with monitoring,” Lovejoy said. “My guess is there’s no centralized security management at Equifax… It’s surprising because in the past, Equifax was known for having pretty good security practices.”

Second, on Tuesday the official Equifax Twitter account sent users to a phishing site, instead of the official site that helps users secure one-year of free credit monitoring. The real site is equifaxsecurity2017.com, but Equifax told users to visit ‘securityequifax2017’ instead.

The site is currently blocked by numerous browsers as it’s malicious.

“I really don’t understand how they could have done this,” said Lovejoy. “It’s a pretty general rule: It has to be a trusted site and should be part of your main website. If the site you’re pointing people to isn’t, it can’t be monitored.”

Third, Equifax -- after public pressure from both lawmakers and regulators -- offered its customers 30 days of free security freezes on their credit files. But the site customers were directed to had issues loading. Consumers are now being directed to submit requests in writing with copies of identity documents.

Disclosure troubles

Coming on the heels of the Equifax news, the Securities and Exchange Commission announced Wednesday that hackers breached its storage system for publically traded companies.

What’s disturbing is the breach happened last year. The company finally went public with the breach, once it became aware the intruders may have made an illegal profit in improper trading.
This highlights a final issue: Disclosure.

“Despite all of the big talk, we’re still in a situation where breaches are fairly common and known vulnerabilities are being exploited,” said Lovejoy. “When it comes to disclosure, the importance is still very much up to debate. Folks aren’t getting the kind of info they should be given.”

While the healthcare industry is highly regulated, other industries -- some that work with healthcare professionals, like Equifax -- may not have those same requirements. And as a result, Lovejoy explained that many companies won’t disclose a breach unless it can be proved its business was impacted.

“One of our biggest failings is how we’ve defined disclosure. It lets people not disclose a breach,” said Lovejoy. “We need to redefine incident to someone getting inside a network, regardless of the impact it has on the company. That way we can get people to understand there is activity and there’s an obligation.”

“People are worried about Equifax, the breach and the impact on the individual. What I worry about is that the result, the whiplash result, will be thoughtless,” she added. “I worry about the recommendations that will inevitably come out of this. I hope they will be useful and not a hindrance.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com