You may have already heard about the Equifax case. Its repercution is not only due to the magnitude of the theft of data, but also to the sensitivity of the type of data handled by this American company.
Equifax is the largest credit reporting agency in the United States and is present in 23 other countries. In order to provide their services, they need to keep sensitive data of millions of people, ranging from personal data, contact, tax identification and in some cases bank and credit card information.
The company announced on September 7 that it had suffered a cyberattack that had exposed the data of a large number of customers. Specifically 143 million, mostly in the US, but also some in the United Kingdom and part of Canada.
With this announcement the controversy is unleashed. The possible affected ones are trying find out what happened and why, and to obtain more information and some solution on the part of the company.
The research suggests that data theft was possible because Equifax did not update one of its tools. Apache Struts CVE-2017-5638, even though the patch was available a few months before the attack.
What did Equifax do wrong?
- They showed apathy in the custody of the data, by not keeping their software updated.
- They waited a long time to announce the ruling. They were aware of the problem since July 29 of this year and did not announce it until September 7, more than a month later.
- 3 of its executives sold their shares for high figures before the announcement of the cyber attack and that these collapsed.
- They did not communicate the problem directly, they offered a web page for consultation, and it was also malfunctioning.
- Initially proposed a payment service to clients to monitor the problems created by the attack (later rectified).
What can be learned?
- Companies must have an efficient cyber recovery policy that includes quick patches when updates are available.
- A good data protection policy should include a robust encryption system for large blocks of sensitive information.
- Organizations must establish a strict access system to the main systems, such as data centers.
- It is essential to undergo periodic audits in cybersecurity, preferably by external consultants (these will be more objective).
- Suppliers must also be audited or they will become the weak link in the chain.
What consequences in the medium term can this massive data leak?
The danger facing those affected and the financial sector, from now on, is that their data is at the mercy of cyber criminals in the dark web. What can happen from now on is unpredictable, but you must be alert.
Experts point out that banks and institutions should monitor any type of access or fraudulent transactions. As they could be victims of targeted attacks of phishing, spear phishing, among others.
The bank should:
- Increase the sensitivity of transaction monitoring
- Apply a multifactor authentication system.
Currently there are several complaints in progress for this case in the countries where the company operates, it is still necessary to see the result of these legal contests. Meanwhile, what you have to do is learn from this and take all the protection measures that are within our reach.
Worried about the idea of something similar happening to your company? At Syneidis we have cybersecurity solutions designed especially for you.