It was early September of 2017. I muttered under my breath as I tried to confirm my data's involvement in the Equifax hack. The website was slow; I had jumped on immediately after hearing the news, along with tens of millions of other Americans. At that point, I was concerned that my personal data had been compromised. After multiple tries to find out, I got my answer:
I was caught up in the breach.
This one touched a nerve. I had experienced breaches before. For example, my Twitter account was compromised and spammed with false Ray-Ban advertisements. I'd even had my World of Warcraft account stolen at one point in the distant past, and recovery of that account was difficult.
This was different. It seemed bigger, and more dangerous - because it was.
A company with which I'd never done business had collected my sensitive data and failed to protect it. I assumed that my social security number, credit account data, credit history, current and past addresses, and more were in the hands of cybercriminals.
Taking matters into my own hands, I took advantage of the free credit alerting from Equifax. I set watches on all of my retirement holdings, equity accounts, and enrolled in identity theft protection via another website.
This affected me in several ways...
The stress that came with losing control of my personal data wasn't healthy. An unknown entity had a lot of information about me. What were they going to do with it?
I felt betrayed by a company who should not have had my data in the first place.
A considerable amount of time and money from my own pocket was spent tracking the breach and taking measures to monitor my accounts.
This is a historic breach in both scale and data sensitivity, and validates the intrinsic value of information in today's digital world. Looking back, there was a chain of events which caused this:
- First, an application vulnerability had gone unpatched on one application stack that handled dispute claims
- Hackers exploited this vulnerability to steal cleartext usernames and passwords
- The cybercriminals then circled back some time later with more tools that helped the data collection appear like regular network/web traffic, and ex-filtrated data from many more Equifax servers.
- This attack went undetected for weeks or months, even though Equifax knew about the vulnerability. Could the breach have been stopped?
The answer: Prevention was possible.
Looking at this from the company's perspective, this type of breach could happen to anyone regardless of organization size. Budgets are always strained for IT systems and tools, while prevention often takes a back seat to reaction. That's backwards thinking.
Preventing breaches is far less expensive than the financial and reputational damage of a cyberattack.
So, if you're in the IT Security department at your organization, do you have adequate breach prevention in place? We're here to help you find out.
- A series of leading questions to asses how your organization is preventing threats
- Running an automated tool in your environment (with permission), which will identify strong and weak points in your cyber defenses, giving you a well rounded view of your security posture
- Your strengths are addressed and recommendations are given to prevent your business from falling victim to cybercriminals.
The adage about an ounce of prevention...