Equifax Breach – Info for you and your firm
In one of, if not the largest, breach of personally sensitive information, Equifax announced the loss of more than 100 million records containing social security numbers, credit cards, and other personal information. While the exact details are being investigated, Equifax has begun a process to allow individuals to sign up for credit monitoring. To add to the confusion, rather than asking people to sign up on a site off of the main equifax.com page, they have setup a new site. Unfortunately, this gives scammers a way to exploit the confusion. At the same time, they have started to create “unique” personal identification numbers (PINS) for people as they sign up. Astute individuals will notice the PIN is not all that unique. Early on, the PIN appears to be the date, followed by the time. For example, 201709110906. While there will certainly be more harmful repercussions from the breach, the best advice I can give at this time is to freeze your credit. This is more extreme than credit monitoring, but freezing prevents (or should prevent) the fraudulent accounts from being opened in the first place. We all know a preventative control is better than a monitoring control.
With regards to your firm and that of your clients, what we learned from the Equifax breach so far is the attackers used a flaw in the software used in the Equifax website. What is not entirely known is how long this flaw existed and if it was considered a zero-day exploit. A zero-day exploit is when attackers use malicious code to exploit a weakness the software vendor is not even aware of. Equifax, and the software vendor Apache, are working out the details if this was a zero-day or a known issue that Equifax failed to patch. Regardless, for your firm and the cyber security of your clients, failing to patch known vulnerabilities, especially internet-facing vulnerabilities can no longer go unaddressed. The fallout, and resulting class-action lawsuits that are bound to arise from this cyber breach can cripple, if not outright eliminate, our small to medium sized businesses. Keeping up with technology patches needs to be considered business as usual. Performing vulnerability assessments on your network need to be considered business as usual. Your business won’t survive anything less.
For those individuals who wish to freeze their credit, these are the links to the vendors’ site: