Equif*@#$d: Equifax Breach Response Off To A Rough Start

This is the first blog in the running series on the Equifax data breach.

  1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
  2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
  3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
  4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
  5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
  6. Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!

The research team at Risk Based Security documents hundreds of data breaches every month, so it takes a truly extraordinary event to make our entire team utter a collective groan of disbelief. The disappointing breach announced by Equifax is one of those events. It lit up our Twitter feeds and Slack channel unlike any other breach disclosed this year, even though there have been much larger breaches.

The basic facts read like so many other breaches. A vulnerability in a web application was exploited in order to gain access to the personal information of approximately 143 million persons – or roughly 40% of the U.S. population. The compromised data includes names, Social Security numbers, addresses, and in some cases driver’s license numbers. Another 209,000 payment card numbers were also accessed as were 182,000 dispute documents. The breach itself is believed to have started in mid-May of this year and was discovered about two and half  months later, on July 29th.

It’s not the number of persons impacted that got our team’s’ attention – as mentioned – we’ve seen at least six larger breaches this year including three that each exposed over one billion records. Rather, it’s the long term implications this event will have for both the impacted persons and for Equifax itself.

For the people that had their data exposed, there is no good recourse here. Unlike passwords that can be changed or credit card accounts that can be cancelled, this breach targeted precisely those fixed data points that cannot (easily) be changed. These are the key identifiers for linking a person with their credit history, tax filings, bank accounts, employment history, and so much more. It may be stating the obvious here, but it’s not particularly comforting when the only recourse Equifax is offering is their very own TrustedID Premier credit monitoring and identity theft protection  service. Granted, it includes credit file monitoring from TransUnion and Experian, but neither of those companies are a stranger to their own data security events. TransUnion has fared the best of the big three, with only seven breaches disclosed since 2005, six of which originated with the unauthorized use of access credentials (i.e. compromised client logins). Experian is a much different story, with over 100 breaches disclosed, most notably the 2015 compromise of 15,000,000 T-Mobile customer’s data and the Court Ventures debacle of 2013.

Until recently, Equifax’ breach experience tracked closely with TransUnion. There were a few more instances of compromised client logins but all said, their breach history was nowhere near that of Experian’s in terms of the high frequency. However, there were signs all was not well at Equifax earlier this year. In February, 158 LifeLock members’ credit reports which were provided by Equifax, were exposed due to a “technical issue”  with the online portal used to access the reports. The breach notification letter sent by Equifax implies the problem resided with them. Whatever the “technical issue” was, it resulted in credit reports inadvertently be made available to the wrong customer. Equifax Workforce Solutions (TALX Corp) went on to report four additional breaches this year, the largest of which impacted 40,645 employees and contractors of Allegis Group due to a compromised of the online payroll management portal provided by TALX.

One fact that has become crystal clear to us is that public perception of how the response is handled has a long term impact on the reputation of the breached organization. From the moment this breach was announced, Equifax was immediately in a challenging position. After all, if asked, most people would expect a major credit bureau like Equifax to have impeccable security. We know that no organization is immune to an event like this and no good can come from rushing to judgment about the state of Equifax’s security practices. We prefer to give Equifax the benefit of the doubt on that point but we do see many early signals the breach response is off to a rocky start.

Setting aside the fact they are offering their own identity theft protection product to impacted persons – they are after all in the business of providing such services – the company has chosen to ask persons to enroll in the service.

From the statement:

based on that information you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.

Why ask impacted persons to enroll? If Equifax has sorted out who is, in fact, impacted, why not automatically provide some monitoring for suspicious activity within your own bureau? Yes, the three bureau monitoring included with TrustedID Premier is preferred in a situation like this but Equifax is in a unique position to do more here.

Then there is the option to use an online tool to verify whether your personal information  is potentially impacted. To take advantage of this look up, all you need to do is provide your last name and last six (not 4) digits of your Social Security number. However, the website that they have launched to announce this breach is problematic in several ways. First, it appears that the site will return the same message to you regardless of what information you put in. Second, the site is not hosted on the Equifax network and appears to be a fairly stock WordPress installation (which has 25 known vulnerabilities in 2017 alone, according to VulnDB). Third, the site appears to be using a bad SSL certificate at times, and OpenDNS is blocking it as a phishing page. Since trust is critical for web sites like this, especially after a breach of this severity, it is difficult for consumers to trust that Equifax latest online support option is properly protecting their data.

It appears Equifax has opted for “alternative notification”, choosing to disseminate information about the breach through the media and offering this “Trusted ID Premier tool” in lieu of individual notification letters. Most state data breach notification statutes allow for some form of alternative notification when it comes to large breaches like this or when contact information is simply not available. Granted, individual letters may have been costly, but handing over a name and partial Social Security number via a website to a company that just potentially compromised said name and Social Security number thanks to a web app vulnerability doesn’t exactly feel like a great method of learning whether or not I’m impacted. Worse, that site was also set up hastily, throwing a 404 error when visiting to the main page earlier today.

Then there is the fact that they state quite clearly for those that do choose to enroll in monitoring:

“On your designated enrollment date, please return to this site, www.equifaxsecurity2017.com. For security purposes, you will be asked to re-enter your last name and the last six digits of your Social Security number.”

And this:

“… within a few days, you will receive an email with a link to activate TrustedID Premier. Please be sure to check your spam and junk folders if you do not receive your activation email within that timeframe.

There is being transparent in your process and then there is tipping off fraudsters to start cranking out the phishing scams. As one person slyly noted in their twitter poll “which of these is the real Equifax site asking for your social security number?” it’s just a matter of time before phony websites start popping up asking for such information. And not to worry about wasted email effort, Equifax is advising concerned persons to check their spam folders for their confirmation email. Further, once you use the website to enroll, you may receive a message saying that enrollment is really five days away.

Proper data breach response is a tricky business. Companies need to be open and honest about what occurred without proving themselves negligent. They need to offer meaningful assistance to the impacted persons in a way that doesn’t cause confusion or more harm. Ultimately, they need to convey that they are doing all they can to correct the issue and make things right for their customers. It’s still too early to know if Equifax’s response will meet this challenge or fall short. Most people will forgive a data breach (eventually) if they believe the company did all it could to make things right. Unfortunately early indications are that Equifax is not doing themselves many favors with the response effort, making it that much longer of a road to travel before regaining consumer trust.

And for the record, when your senior executives sell shares worth almost $1.8 million three days after discovering the breach, be prepared for a lot of questions! More interesting is how the PR department at Equifax can’t tell users if they were part of the breach today, but knew that the three executives “had no knowledge that an intrusion had occurred at the time.” Many find it difficult to believe that the Chief Financial Officer (CFO) would not have been informed of such an incident!

The story continues with Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle.