The Equifax data breach could cost the international credit rating company hundreds of millions of dollars in direct damages, says an industry analyst who just wrote a report on calculating the costs of breaches.
“This is going to be a painful one, given what we’re seeing in size and scope and how it’s basically a treasure trove of consumer data [exposed] and what that could be used for,” Heidi Shey, a senior security and risk analyst at Forrester Research, said in an interview Monday.
Shey’s estimate was just on what she calls measurable damages, such as regulatory fines, possible damages awarded by courts, new security and audit measures needed to be implemented and credit monitoring offered to victims.
On top of that are costs that are hard to measure, such as loss of brand reputation.
Atlanta-based Equifax said last week that among the over 140 million affected by the breach were an unidentified number of Canadians who suffered “unauthorized access to limited personal information” when criminals exploited a U.S. website application vulnerability to gain access to certain files.
The majority of victims were Americans, whose names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
However, credit card numbers of approximately 209,000 U.S. consumers were also accessed.
The company said it learned of the incident on July 29. However, it only made a public statement on Sept. 7.
It has evidence suggesting the unauthorized access started in mid-May, meaning criminals may have been selling data for months.
Financial services firm Baird Equity said in a research note to investors it understands attackers used a flaw in the Apache Struts open source framework for creating web applications to gain entry. Attackers then captured data entered and retained through consumer portals, such as consumers inquiring about their credit reports and disputes.
That may fit with Equifax’s statement that it “found no evidence of activity on Equifax’s core consumer or commercial credit reporting databases.”
The Apache Software Foundation blog issued a statement over the weekend said that while a vulnerability and patch was disclosed Sept. 4 it doubts that was the culprit. The breach was detected July 5, the foundation notes, so it is more likely attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited an as yet unknown (zero-day) vulnerability.
UPDATE: On Sept. 13 Equifax confirmed the breach involved an Apache Struts vulnerability CVE-2017-5638, available in the wild since March. Meanwhile security writer Brian Krebs reported on Sept. 12 that Equifax’s Argentina operations have been sloppy. A source said a company’s employee portal there was allegedly protected with the password “admin/admin.”
Shey’s report, released at the end of August, urges security and risk pros to calculate the business impacts and costs of a range of possible data breaches to elevate IT security discussions with the business side.
Some executives have a hard time establishing their organization’s risk of exposure to a breach, she writes, so infosec pros find it hard creating a business case for investing in security technologies. Executives realize something has to be done, Shey added in the interview, such as meeting a particular regulatory requirement.
But the conversation is more challenging if the conversation is about increasing security maturity or risk mitigation.
“By understanding the different factors and variables releated to a breach that puts companines in a better position to understand the things they could do as their doing their security strategies and incident response planning to help reduce the costs if it would happen to them.”
Start by considering different breach scenarios – What would happen if consumer data is lost? If intellectual property is lost – and work from there. Cost factors could include response and notification, lost employee employee productivity and turnover, settlements, regulatory fines, brand recovery costs, additional security and audit requirements.
The exercise is not about coming up with an exact cost, Shey adds, as much as understanding the range of factors that could affect damage costs.
As for companies using open or closed source supporting libraries in their software, Adobe advises infosec pros to understand which supporting frameworks and libraries are being used, and to keep track of security announcements affecting them.
If an security update is needed “best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”
“Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.”
It also – again – reminds CISOs to establish security layers. “It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.”
Finally, establish monitoring for unusual access patterns to public Web resources.