The Schwartz Report

Blog archive

Massive Equifax Breach Epitomizes Reckless IT Security Practices

Given the scope of a growing number of major data breaches, each one is harder to top, although security experts know there's no bottom limit to what could be next. The compromise of 143 million individual accounts reported by Equifax on Sept. 7 that included names, birthdates and credit card numbers, may be one of the most damaging breaches disclosed to date. Apparently tied to the Equifax breach, news surfaced Friday that information on more than 200,000 credit card accounts were also stolen.

The way Equifax executives and its IT security team appears to have failed to adequately apply patches, the amount of time it took to discover the depth of the breach and the delay in ultimately reporting it certainly paints a picture of a colossal failure at all levels, including the curiosly timed stock sales by top executives (who deny knowledge of the breach at the time of the sale) just days before the disclosure, reported by Bloomberg.

Fallout from the breach has, not surprisingly, led to the reported departures of CIO Dave Webb and CSO Susan Maudlin late last week. Signs of trouble trace back to March 8 when Cisco warned of a security flaw in Apache Struts, the open source, Java-based framework widely used on interactive Web sites,  that already was "being actively exploited," before the July 29 discovery of trouble at Equifax and the Sept. 7 revelation of how many potential customer records were stolen, according to a detailed report published by The Wall Street Journal today.

While the report noted many details remain unknown, it is understood that hackers pillaged information between May and the July 29 discovery. A few days later, Equifax brought in security consulting firm Mandiant, now a unit of FireEye and associated with many high-profile forensics investigations including the Yahoo breach last year, when data on more than 1 billion accounts were exposed.

Initially, Mandiant believed that 50 million accounts were compromised. But as its investigation continued, it determined it was nearly three times that amount, according to the report, which also noted the company registered the EquifaxSecurity2017.com domain for customers to seek information.

The report also noted last week's revelation by Alex Holden, founder of Hold Security, that an Equifax portal in Argentina was "wide open, protected by perhaps the most easy-to-guess password combination ever: 'admin/admin,'" he told the KrebsonSecurity Web site.

The true impact of the Equifax breach is yet to unfold, but it already has brought a new awareness to the risks at hand that many have long overlooked or ignored. How organizations address their own risks in wake of this remains to be seen.

Posted by Jeffrey Schwartz on 09/18/2017 at 7:39 PM


Featured

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

  • Feature Update Deferral Mix-Up in Windows 10 Version 2004 Further Explained

    Microsoft last week described the confusion it is attempting to avoid by removing the client graphical user interface (GUI)-based controls to defer Windows 10 feature updates, starting with version 2004.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.