Credit agency Equifax hit the headlines for all the wrong reasons in 2017 when 146 million people – including 700,000 in the UK – had their data stolen by hackers.
The breach cost the company more than $114m in insurance payouts, plus a fine of £500,000 – the maximum allowed at the time – from the British Information Commissioner’s Office.
Equifax was widely criticised for failing to protect people’s personal details and came under fire for taking so long to let victims know their data had been compromised. Several senior executives, including chief executive Richard Smith, lost their jobs.
Last August, a 40-page report to the American Congress detailed the actions taken by Federal agencies and Equifax itself in response to the breach. But many people saw the reaction as closing the stable door after the horse had bolted.
CertiKit CEO Ken Holmes said: “Equifax seem to have done a lot of things right – they had processes in place – but it only takes a few things wrong to cause a breach like this. They came close, but no cigar. No company is impregnable.”
The data breach began in March 2017 when hackers discovered a software vulnerability in Equifax’s systems. By that May, they had begun extracting personally identifiable information, or PII.
According to Equifax, the attackers used various techniques to cover their tracks, and it wasn’t until 76 days later that the breach was discovered. It then took more than a month before the news became public.
The company took steps to notify and provide support to people who were affected. A website addressing the breach was launched and the firm vowed to help victims reduce the risk of being defrauded.
But people were sceptical. Equifax’s reputation had taken a battering and those affected were reluctant to provide the firm with even more information.
One woman, Alison McGill, wrote in a discussion on the Money Saving Expert website at the time that she had been contacted by Equifax by letter, telling her that some of her personal data had been compromised.
One of dozens of British people affected to complain on the site, she said the firm suggested taking part in a free service it had launched which would alert her to any fraudulent activity using her identity over the next two years.
“Trouble is,” she wrote, “in order to register online with them, I need to give them even more information – ie email addresses, credit and debit card details, bank accounts, National Insurance number… don’t think so! The less they have on record, the better in my view.”
Equifax claims that the 700,000 British people who were affected had their names, dates of birth, email addresses and telephone numbers compromised.
No UK consumers had their residential addresses, passwords or financial data accessed, the firm, which is based in Atlanta, Georgia, claims.
But that’s scant consolation to the millions of American customers who fared worse. So, what lessons can other businesses learn from the breach?
“In the UK, a good starting point would be Cyber Essentials,” said Mr Holmes. “If you need something more, you need to look at working towards ISO 27001, with a view to becoming certified.”
The 27001 standard is a specification for an information security management system, or ISMS – a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
CertiKit produces a toolkit to help companies work towards certification. This costs £695 and includes all documents, plus a year’s updates and support.
Cyber Essentials, a scheme operated by the National Cyber Security Centre, helps companies to stay safe in five key areas including internet firewalls, malware and software updates. A CertiKit Cyber Essentials Toolkit will be available later this year.
The Equifax investigation into the breach revealed “several major” issues involving identification, segmentation and data governance.
A distribution list was out of date, meaning that the people employed to apply security patches, were unaware of updates.
Another digital certificate was out of date, preventing a tool which detects malicious traffic from working.
And databases were not isolated, or segmented, from each other, meaning the attackers could access other databases to remove personal data.
Other contributors on the MSE discussion pondered whether the breach was to blame for a rise in scam emails and phone calls they had experienced.
One of them, Neil Grandison, wrote: “The mystery to me is that I was completely unaware that Equifax held any of my data. So what use [is] the Data Protection Act? Are credit reference agencies exempt?”
But Mr Holmes stressed how vital it is to follow ISO procedures and policies. Otherwise, the certification is effectively meaningless.
“They had various things in place, but they weren’t properly implemented,” he added. “It’s so important to implement at least the principles of ISO 27001.
“There needs to be a management system, and things should be monitored on a regular basis. Internal audits need to take place to find any bugs and flaws before the bad guys do.
“You’ve got to be really on the ball – otherwise, this sort of thing can happen. This was down to a collection of small failings – that’s what really brings it home.
“Sadly, there’s a lack of appreciation among business when it comes to cyber security, and it’s not high enough on companies’ agendas.”
Click here to read more about the CertiKit ISO 27001 Toolkit.
Click here for more details on Cyber Essentials.