Yesterday (10/3) was a busy news day. The tragedy in Las Vegas and the ongoing recovery efforts in Puerto Rico have overshadowed a very important event in its own right.
The mess that was the Equifax data breach has been explained from the perspective of the former CEO Richard Smith in the form of Congressional testimony. Many questions were asked of the embattled previous chief of one of the country’s largest credit reporting agencies. The biggest and most often asked question was, “How did this happen?”
Here’s the short answer:
Inadequate security and a complete lack of oversight.
There were three key factors involved. These factors are easily avoided with purposeful and a competent approach to infrastructure security.
1. Equifax’s patching procedures were completely insufficient.
A patch was issued to cover the breach. Simple scans would have found the hole and fixed the problem.
2. Equifax stored very sensitive information in plain text.
Plain text. This is not a misprint or misrepresentation. According to Smith, all of your data, my data, every working adult’s data was stored in plain text. If the data was encrypted, with proper encryption, it could take years to decipher the information.
Encryption is the key. If there’s information, sensitive information, any business does not want falling into the hands of thieves, then it must be encrypted.
3. Equifax security reviews were set for once a quarter.
Lack of oversight is unacceptable and inexcusable. This is our information and deems protection to best of Equifax’s ability. The best of Equifax’s ability was not enough.
The take away:
There were many lessons learned because of the breach, tough lessons that need illumination. Many steps should’ve been taken to protect your data; simple, inexpensive steps.
• Security patches- Information stored on secured servers are not necessarily secured. Constant updates are available from vendors and experts. It is imperative to stay on top of these.
• Encryption is crucial- Sensitive information needs critical attention and heavy security. It doesn’t matter how many layers upon layers of security in your infrastructure. If that fails, the data needs to be unreadable by anyone accessing it through nefarious means.
• Competent Technology Staff- Having the right people in the right places is paramount. Equifax’s staff did not apply a patch in a timely manner and the breach happened and wasn’t discovered for months. Timely scans were not happening, data was not encrypted, breaches went unnoticed (for months). Make sure your staff or outsourced partner is securing your infrastructure.
Keep these steps in mind when securing your infrastructure. The hackers are everywhere and businesses big and small are targets. Information is bought and sold in many places, open or closed. The right technology partner will keep your data safe.