Equifax, the company that two U.S. Congressional investigations accused of having poor cyber security after suffering a huge data breach exposing personal information of millions of people, is now concerned ordinary Canadians aren’t doing enough to keep their financial information secure.
In a survey released Wednesday, Equifax Canada said fewer Canadians are double-checking their financial statements, shredding personal documents, or installing security software on their computers despite the increased threat of fraud and identity theft.
“It seems that complacency is setting in for some people when we actually need to be more vigilant than ever in the fight against fraud,” Tara Zecevic, Equifax Canada’s vice-president of fraud prevention and identity management said in a release accompanying the survey.
The survey release comes a week after a U.S. Senate subcommittee released a highly critical report into the 2017 revelation that criminals had made off with Equifax Inc. data on 145 million Americans and 19,000 Canadians following the failure to follow its software patching policy. Not only that, vulnerability scans failed to detect that the urgently needed patch for Apache Struts web framework hadn’t been installed — in part because the IT department didn’t know a server was using a vulnerable version of Struts.
And that’s the short version of the company’s failings in this incident.
The subcommittee concluded that the credit rating agency’s response to the vulnerability that facilitated the breach “was inadequate and hampered by Equifax’s neglect of cyber security. Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cyber security preparedness.”
The report also noted that competitors Transunion and Experian managed to plug the hole in Struts.
The Senate report followed an equally damning report from the U.S. House of Representatives last December.
Asked in an interview about the optics of releasing a survey critical of Canadians just after the Senate report hammered her company, Zecevic said “I totally appreciate that perspective. I think we addressed a lot of that with our commentary [last week] in the Senate. I know we’ve been investing significantly in security measures and it is definitely top of mind. At the end of the day, there are bad actors. We’re doing our part from a corporation and I think its important at the same time that consumers are aware and doing what they can as well.”
When it was suggested some Canadians may wonder about Equifax complaining about the way they protect information after its breach, she replied, “It was a significant breach. We’ve taken … the impact in Canada was a smaller number, not that I’m trying to minimize that. But it happened. and as I said we have taken a significant amount of measures both from a security [and] infrastructure as well. We’re doing our part. I’m not taking away anything from that. In this report, we’re simply reminding Canadians to do their part.”
According to CNBC, last week Equifax’s CEO told the Senate that “the fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean that the company failed to take cyber security seriously.”
He also said the company plans to spend $1.25 billion USD more between 2018 and 2020 on security and information technology as a result of the incident.
Zecevic said the Equifax Canada survey came after seeing an increase in credit card fraud. This was the second annual survey. It wasn’t immediately clear how many people were questioned this year.
The survey found that consumers were doing more in two areas: sharing less on social media (up 43 per cent from 39 per cent from the previous year) and more people are checking their credit reports (up to 28 per cent from 21 per cent). Surprisingly, the report said, millennials checked their credit reports more than any other age group (29 per cent).
However, only 35 per cent of respondents (and 22 per cent of millennials) said they install and/or update security software on your personal computer. And only 49 per cent (39 per cent of millennials) said they regularly update their security passwords. This last may not be serious; experts say as long as a password is strong enough it isn’t necessary to change passwords over short periods as previously recommended.
As for the updating of security software, Zecevic said “it’s something that may not be top of mind” of Canadians. “There may be an assumption their system is automatically updating … At the very least it’s something they’re not on top of.”
The Senate report noted that an audit done of Equifax’s patch management regime done two years before the breach found a backlogged system that couldn’t ensure patches were installed. On top of that the company didn’t have a comprehensive IT asset inventory.
So while in April 2017 the company’s security staff knew discovery of a highly critical vulnerability in Apache Struts was being sent around the U.S., the Equifax developer who knew the company used the software wasn’t included in the 400-person email spreading the warning. It did go to that person’s manager, but for some unexplained reason wasn’t forwarded to the developer or anyone on the developer’s team. Nor had that developer subscribed to the Adobe Struts alerts notification list.
While Equifax had a vulnerability scanner, it failed to detect a customer dispute portal server had the leaky version of Struts.
The attackers made their first entry through that portal on May 13, 2017.
Another fumble: The SSL certificate protecting that server’s data traffic through encryption had expired months before. It wasn’t updated until July 29, 2017. Only then did Equifax staff notice suspicious traffic.
Once inside the online dispute portal, the hackers searched for and eventually found a data repository that contained unencrypted staff usernames and passwords that allowed the hackers to access more databases.
(The hysterical laughter of infosec pros reading this last sentence can be heard across the Galaxy. We quote next from the Senate report: “The usernames and passwords the hackers found were saved on a file share by Equifax employees. Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols.”)
“In addition,” said the report, “Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making.”