In recent days the world has become familiar with perhaps the largest data breach event ever known to humanity. I’m referring, of course, to the Equifax data breach.
The incident, as summarized by Equifax Security, potentially impacts personal information relating to 143 million U.S. consumers – primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Information potentially stolen by the hackers, including Social Security numbers and dates of birth and names, could put people at risk of identity theft for the rest of their lives, credit experts warn.
So how did such a massive breach happen?
USA Today notes that hackers took advantage of an Equifax security vulnerability two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn't update its software successfully when the danger became known:
"The Equifax data compromise was due to (Equifax's) failure to install the security updates provided in a timely manner," The Apache Foundation, which oversees the widely-used open source software used by Equifax, said in a statement.
At the time of USA Today’s article publication, Equifax had not responded to questions about when the patches were used to fix the security weak point, or if the patches were used at all.
It only made this statement: "We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement.”
USA Today also reported the critical comments of other cybersecurity professionals:
“They should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud security company.
By all accounts it appears that one of the fundamental reasons for the Equifax data breach stemmed from a failure or lack of timely attention to applying critical software patches. Arguably, had the patches been applied in a timely fashion none of the ensuing issues would have occurred.
Examples of Preventive Measures For Avoiding a Data Breach
IPR Secure notes that companies should take the following measures to avoid becoming another Equifax:
- Stay Up-To-Date On Software
Install anti-virus software on servers and implement application firewalls. Any software or programs that are not up to date can increase risk and serve as an entryway for hackers.
- Credit Freeze
Nearly half of Americans may have had their information stolen in the massive Equifax data breach recently, and experts say freezing your credit is one line of defense.
According to the Federal Trade Commission, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit.
If you opt for a temporary lift because you are applying for credit or a job, and you can find out which credit reporting company the business will contact for your file, you can save some money by lifting the freeze only at that particular company.
- Monitor Access to Your Data
Require multi-step authentication processes for employee access, verifying business reasons for each system access, logging and monitoring employee use to identify unusual system patterns or behaviors, installing secure internet access points, and using IP address profiling to prevent any unauthorized access. Be aware of any unusual network activity and data transmissions to unknown hosts.
- Change Passwords Frequently
There are many preventative actions when it comes to passwords, including using longer passwords with a variety of numbers and symbols, different passwords for different systems, mandatory password changes every 90 days, or requiring employees to “sign out” a specific administrator password so passwords aren’t floating around and easily obtainable by a hacker, both internal or external.
- Take Physical Security Measures
Physical measures for safeguarding information can involve restricting access to facilities to prevent physical intrusions, monitoring computer equipment, locking up particular rooms or file cabinets housing sensitive information, and also shredding documents.
- Educate Employees On Security Threats
It is important to educate employees on data security to reduce breaches from negligent behavior.
- Periodic Risk Assessments
With periodic assessments, whether through internal audits or third party expertise, you can assess new areas of concern for potential security risks.
- Implement an Incident Response Plan
For example, you should be prepared with resources your customers can access following a breach to prevent fraudulent charges to their accounts or phishing attempts.
In conclusion, while it appears that data breaches seem to be on the rise, there are practical solutions that can be taken that will go a long way toward mitigating the risk of data breaches in the future. The first step for any company is to change its mentality. Companies must become proactive, not reactive—aggressive, not passive. Take dramatic action now instead of waiting for a crisis to hit.