The Equifax Breach: Part Four Analysis

As the Equifax breach continues to become a complicated issue, certain lessons can be learned for other businesses handling personal information. Namely, what not to do in their business operations?  In the wake of the cybersecurity breach, it had been reported that Equifax was aware of the security gaps, and did nothing to remedy them. So, where exactly did Equifax go wrong in its data security plans? How was it informed about the open holes in its security infrastructure?  What can a business owner do to avoid becoming an encore of Equifax’s folly? Is there any way to determine gaps in security policies and procedures?

Where did Equifax go wrong?

Effectively, Equifax appears to have failed at multiple levels, resulting in this breach. This is best summarized into one large mistake. There were no updates implemented to the computer systems Equifax used on its networks.  This was due to a delayed response to a known vulnerability in the Apache Struts web application. This framework is well known, it is used in the business community, and is an open-source framework for developing Java applications. In short, the delay was exasperated by the company’s failure to detect the vulnerability during a security scan.

How can you prevent a repeat of Equifax’s folly?

Preventing Equifax’s folly can best be summarized in three Ps: First, is prompt updating. Second, is penetration testing, and third is security policies.

Prompt updating is the primary solution to an issue like the one Equifax suffered this year.  While there was a notice about the security breach, the lack of an update caused the vulnerability to persist for several months. This gap effectively left the door open to hackers and identity thieves, and any individual who sought to procure personally identifiable information without permission.

Penetration testing involves hiring cybersecurity personnel, often “white hat” hackers to determine security vulnerabilities. The way these white-hat hackers operate is akin to any other hacker. They will, like any other hacker, attempt to break into a security system without using any passwords or other information provided to them. After this, the white-hat hacker details the security flaws to the individual, as well as ways to potentially block them. To some extent, it is like hiring a reformed burglar to stage a home invasion or attempt to break into a vault. If the penetration test goes well, the white-hat hacker should be thwarted, and no changes would need to be made to the infrastructure.

Finally, there are security policies. While Equifax may have had a decent policy to mandate a prompt update after it was informed that vulnerabilities existed, however, it may not have been enough.  When it comes to security, contingencies are king. In forming a security policy, it would be prudent to add multiple layers, requiring that the information technology staff sign off after receiving the notice, and again after performing the update. Furthermore, adding other safeguards, such as the use of supervisors or other individuals to ensure that an update has actually taken place, would certainly add to security. That said, even if additional layers are added, such as routine security scans, it is not a complete guaranty that no breach will occur, or that any policy will work exactly as planned. Instead, it will be something that a business would need to review periodically to determine if and how it is functioning.
At our law firm, we assist clients with legal issues related to business, intellectual property, and e-commerce transactions. Please contact us to set up an initial consultation.