TRENDING
“Equifax stated that
the investigation
is “substantially
complete,” but
wisely added that
“it remains ongoing
and is expected to
be completed in the
coming weeks.”
For lower-level criminals, the expenses
associated with criminal activities will
get even lower. SSNs are already cheap;
on one AVC (Automated Vending Cart)
site, there are over 3.4 million SSNs for
sale at only $1. This includes full names,
addresses, and – for a large number of
accounts – dates of birth. In California
alone, there were 334,000 SSNs for sale.
With tens (and potentially hundreds) of
millions more SSNs potentially entering
the market, the opportunities for
criminals to commit fraud will increase
and the price will decrease even more.
So far, I’ve focused heavily on SSNs – but
credit card information was also accessed
in the breach. While this number is
hundreds of thousands (209,000), it is
unlikely to have a significant impact on
an already burgeoning black market for
credit card information.
Enablement of nation
state campaigns
Although Equifax claimed this intrusion
was conducted by a criminal threat
actor, it is possible that this was a
nation state actor. In the event that a
nation state actor is responsible for the
intrusion, then like the OPM breach, we
won’t see the data being monetised
in the criminal underground. The
stolen data will be leveraged to enable
nation states’ campaigns against their
intelligence targets.
Enablement of
hacktivist campaigns
If we are going to consider nation
state actors, we should also consider
18
INTELLIGENTCIO
hacktivist threat actors and their
activities around the stolen data. If
hacktivists were responsible (I think
this is a pretty unlikely scenario) you
could expect to see them use the data
to target organisations and individuals
that run counter to their world views.
Embarrassment and doxing, hacktivist
go-tos, would come into play.
What enterprises can learn from
the Equifax breach
1. Incident response takes time and
eradication in particular takes time.
Equifax said that the intrusion was
discovered on 29th July and that
they “acted immediately to stop
the intrusion”. Equifax’s goal was to
contain the adversary that first day,
but that true eradication took much
longer. It is important that you set
expectations with your leadership
into how long eradication could
actually take.
2. Third party risks raise their ugly
head once again. Some aspects
of this intrusion remind me of
the September 2015 T-Mobile
breach. In this intrusion, Experian
was hosting T-Mobile data that
an unauthorised party accessed
and this resulted in the loss of 15
million individual’s records. Any
organisation with a business-to-
business relationship with Equifax
needs to find out the scope of any
potential loss of their employee
or customer data. This third party
exposure also highlights the need
for third party risk monitoring.
3. Crisis communication is key.
Effectively communicating during
an intrusion is important, it won’t
absolve you of your sins, but doing
it wrong could make the situation
far worse. Understanding when
and what to communicate is also
important. Equifax discovered the
intrusion on 29 July and notified
on 7 September. Some might ask
why did it take so long for the
notification, but I don’t think a
month is that long. The investigation
needs to be far enough along so that
you can confidently communicate
the situation. A CEO that comes
out 2 days after a breach and then
minimises what is a much more
significant threat will be performing
a mea culpa in little time.
4. GDPR will change the breach
notification game. Now let me
really trip you up, how would this
situation play out if it was after
25 May 2018 and Equifax lost
European Union citizen’s data?
General Data Protection Regulation
changes everything with 72-hour
breach notification windows. GDPR
states, “This must be done within
72 hours of first having become
aware of the breach.” When the
fines do come into place, the timing
of the communication will have a
significant impact.
What consumers can learn from
the Equifax breach
1. Consider taking advantage of
Equifax’s offer. Although the irony
is not lost to me, taking advantage
of credit file monitoring and identity
theft protection offers is important.
If you don’t want to use Equifax
for these services, I get it, look for
alternatives with someone like
Transunion or Experian.
2. Be vigilant about your payment card
activity. Use email/SMS alerts to
notify of account transactions over
and under a specific amount. If an
unauthorised transaction occurs you
can be notified immediately, and can
quickly take action. Be vigilant about
your card activity and alert your bank
about any suspicious activity.
3. Address tax fraud with IRS Form
14039. If you find out you are a
victim of tax return fraud, there are
still things you can do. Victims can
file and send a IRS Form 14039.
4. Check your Explanation of Benefits
(EOB) statement. It might look like
another piece of spam mail, but it
is important to reconcile the EOB
statements that your insurance
sends you. This is your best bet to
monitor for medical card fraud. Make
sure to report any unfamiliar activity
as soon as you observe it.
5. Assume breach. In the corporate
cybersecurity world, we have learned
to ‘assume breach’. Consumers
should also operate under the
impression that their confidential
data has been compromised. n
www.intelligentcio.com