Equifax Chief Executive Richard F. Smith announced his retirement this week. The Equifax board has said that it could retroactively classify Smith’s retirement as a firing – jeopardizing his compensation.
Here’s what happened
The scope of the massive Equifax breach, which directly affected 143 million people, is incredible. Equifax publicly reported the breach on September 7, stating it was discovered on July 29th. It is believed that the breach started in mid-May and continued until its discovery in late July. My initial reaction was that this must have been a sophisticated cyberattack. How else could an organization such as Equifax, that handles millions of data rich information, allow this to happen? A company that large should have unlimited resources to have the most sophisticated high-tech strategies to secure their data. After all, is any data more high risk or high demand than credit reports and social security numbers? And if Equifax cannot prevent a breach, what does that mean for the small companies or healthcare providers who have very limited budgets and are frequently required to outsource their IT security?
According to the Wall Street Journal, the breach was caused by an unpatched flaw in the Apache struts web application software used by Equifax customers to dispute credit report errors. The flaw was first discovered by Cisco security researchers on March 8. On that same day, Apache released a patch. The U.S. Computer Emergency Readiness Team also released a vulnerability security bulletin on March 8.
Wired magazine reported: “it would have been simple for an attacker to exploit the flaw and get into the system.” Wired also wrote:
"This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly," says Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm. "The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred."
Lessons for your organization
The investigation continues, and if the cause of the breach is confirmed to be unpatched software, this breach provides a very strong reminder to everyone - including small providers - that reducing the odds of a breach requires a straightforward strategy of installing all operating system and application software updates. Make sure there is a policy and procedure addressing this. The policy should include receiving emails from the US Computer Emergency Readiness Team (US-CERT). If not already part of your policy, sign up here. Make sure your Security Officer, Privacy Officer, Compliance Officer and IT Support are subscribers.
Keep in mind that software patching is only one small element of a data security management plan. There are many other risk areas. HIPAA security readiness is not just an IT responsibility. It requires attention from management and IT. The first step in developing a security management plan is to complete or update your Security Risk Analysis.