WAKE-UP CALL
Equifax’s massive personal-data breach could be just the tip of the iceberg
Cybersecurity experts say the massive breach of creditreporting company Equifax Inc.’s data systems may be a needed wake-up call to galvanize business and government into much more aggressive action to protect online data in today’s hyperconnected cyber world.
Fallout from the breach, which could impact about 143 million U.S. consumers, is mounting, as federal and state-level agencies assess the full extent of the damage. Larger data breaches have occurred in recent years, but the Equifax breach exposed sensitive personal data — names, Social Security numbers, birth dates, and addresses for fully half of the U.S. population.
Equifax faces congressional investigations, class-action lawsuits, inquiries by the Federal Trade Commission and the Consumer Financial Protection Bureau, and action by attorneys general from around the country.
That includes New Mexico Attorney General Hector Balderas.
“Equifax needs to make right by our families,” Balderas said in a public statement last week. “We launched an immediate investigation into Equifax, the circumstances surrounding the breach, and the delay in disclosure to New Mexicans. Our office is working to hold Equifax accountable.”
Equifax is under fire for its actions before and after the data breach, particularly its decision to wait six weeks to publicly disclose the attack after discovering it on July 29.
Details are still scarce, but apparently hackers broke into Equifax through a flaw in the Apache Struts software package that runs one of its online web portals. That generated even more intense criticism, because that software vulnerability had already been publicly known since March, with a software patch available to fix it, but Equifax didn’t apply it until after its website was breached.
That apparently lax security, plus the immense damage cybercriminals could now inflict on consumers and businesses, may convert Equifax into a watershed event that pushes government and industry into much more aggressive efforts to fight cybercrime, according to industry experts.
“Awareness unfortunately comes from attacks like these,” said John Yun, marketing director for California-based cybersecurity firm ZingBox. “They almost need to happen to wake up to the possibilities of hacking. It brings a lot more awareness to the industry and security vendors themselves, as well as consumers.” An epidemic Cybercrime had already reached epidemic proportions. Nearly 1.1 billion identities were stolen worldwide through data breaches last year, almost double the 2015 tally, according to the latest annual Internet Security Threat Report released last spring by global cybersecurity firm Symantec Corp.
In the last eight years, such breaches have exposed more than 7.1billion identities worldwide.
Attacks are radically escalating on all fronts, including massive heists with billions of dollars stolen, and chronic blackmail of businesses and consumers through ransomware that, in the U.S., is forcing victims to pay an average of $1,077 each time to retrieve control of their systems, according to Symantec. The number of ransomware attacks grew 36 percent worldwide last year, and Symantec estimates one in every 131 emails today contain a malicious link or attachment.
Apart from cybercrime, sabotage potentially linked to cyberwarfare by nation states is growing exponentially in frequency and reach, such as the alleged Russian hacking of U.S. elections last year.
And hackers may be gaining control over critical infrastructure. Just days before the Equifax breach, Symantec warned that a group called Dragonfly 2.0 targeted dozens of energy companies last spring and summer. They gained access to utility
networks, and in a handful of cases in the U.S. and elsewhere, the intruders had potential control over grid operations, enabling them to cause blackouts if they had actually flipped the power switches.
Also, last Thursday, the U.S. Securities and Exchange Commission revealed that its Electronic Data Gathering, Analysis and Retrieval system was hacked last year. EDGAR processes more than 1.7 million electronic filings annually, including sensitive financial disclosures that can cause enormous movements in the market, sending billions of dollars in motion on stock exchanges in fractions of a second.
A hyperconnected world
Industry experts say the cybercrime tidal wave is less a reflection of hackers becoming more sophisticated than of the explosion of Internet connections and data sharing in today’s hyperconnected world.
“Growing hacker sophistication is a factor, but it’s the evolution in online data sharing that’s creating havoc,” said Srinivas Mukkamala, co-founder and CEO of Albuquerque-based cybersecurity firm RiskSense. “There’s more and more computing and consolidation of big data all in one location, and attackers need minimal skills to break in, while companies need real sophistication to protect themselves.”
In recent years, local data management has given way to national and international management, with data continuously shared across the globe, Mukkamala said. And many of the companies managing or handling that data are startups without the resources and technology to protect against hackers.
The evolution toward an Internet of Things, which refers to thousands of online devices connecting everything from appliances and security cameras to heating and cooling systems in homes and businesses, is creating a whole new cyber world ripe for hacking. In some cases, such as devices in hospitals, that can give criminals control over life and death, said Yun of ZingBox, which is developing new tools to monitor those connections.
At this year’s Def Con hacker convention last July in Nevada, one ZingBox expert demonstrated ability to hack into a widely used brand of IV infusion pump, allowing him to alter medicine flow to a patient.
“There are just so many more devices and services now available online, and they weren’t designed to fend off hackers,” Yun said.
As a result, cybersecurity’s traditional focus on teaching employees what to do and not to do to protect systems is inadequate, said Jack Miller, chief information security officer for cybersecurity firm SlashNext, which created hardware to monitor all traffic on a company’s network.
“We’ve relied too much on training employees, when what we need is better technology to protect systems,” Miller said. “We need tools that rely on artificial intelligence to track and fix things.”
That includes the new technologies being developed by firms like ZingBox and SlashNext. It’s also the foundation on which RiskSense built its business, creating a software-as-a-service platform that constantly monitors and analyzes networks for customers.
It’s the interface between artificial intelligence and humans, plus the sharing of lessons learned among everybody, that will allow industry and government to get ahead of cybercrime, Mukkamala said.
“We have to look at the entire ecosystem,” he said. “Maybe you as an entity are not vulnerable, but who are you connected to and what are you sharing? We don’t operate in silos, but in an ecosystem that creates seamless data sharing and, as a result, seamless data breaches.”
Federal regulation is also critical, Miller said.
“The public needs to push the government and industry leaders to have policy conversations,” Miller said. “We need real transparency with regulations that are prescriptive enough to follow through and implement them. We need much clearer, detailed guidelines on what needs to be done.”