By Matt Gross
Perhaps the biggest breach in Internet history came to light last Thursday when Equifax revealed that hackers had stolen large amounts of personal data through its website. The intruders accessed data of 143,000,000 consumers including names, social security numbers, birth dates, addresses, and driver’s license numbers. Over 200,000 credit card numbers were stolen and over 182,000 customer dispute documents.
Many security experts are considering this to be the worst data breach in history. Since the data involved is so sensitive, it has the potential to wreak havoc on millions of lives by giving thieves the tools to steal online identities.
The consequences for Equifax are already severe. With a stock price in rapid decline, they are facing multiple class action lawsuits and fierce attention from regulators. Moreover their initial public relations response, managed apparently by Edelman, did little to reassure anyone. The response included a website for consumers to check whether their personal data was stolen that was flawed with software bugs, incorrectly implemented security certificates, and terms of service that implied users were giving up their right to litigation. And clouding public perception further was the news that three top Equifax executives sold large shares of stock immediately after the breach occurred but before it was made public.
It’s likely that this breach will bring much needed pressure on the industry to tighten up their act. Equifax and their credit rating competitor firms have for years carried a reputation for neglecting security despite the highly sensitive data they store. So far the industry has managed to escape oversight because market research data does not fit squarely within the sights of existing regulators. However, millions of furious consumers are likely to influence public policy and perhaps the market research industry will begin to implement better security practices.
While Equifax was initially reticent to reveal details of the breach, they have since admitted that the breach was due to their failure to patch a vulnerability in Apache Struts, a software toolkit for creating Java-based web applications. Since Equifax was using Apache Struts in an application with highly sensitive data, and the vulnerability had been widely known in the hacking community for over two months, the intrusion was apparently preventable.
This breach teaches valuable lessons for every company with a website that accesses sensitive data.
Websites are typically assembled from many components that need to be updated regularly. Modern websites often consist of hundreds or thousands of third-party software packages including both commercial software and open source software. This is a good practice because it allows software developers to make use of specialized code that’s been carefully tested and regularly maintained instead of writing all their code themselves. The community of developers adds strength in numbers because the community monitors the performance of software packages and reports back to the original developer whenever there are problems such as a security vulnerability. When a security vulnerability is discovered, the original developer will make an update to their software and notify everyone who's using the software package that they need to modify their software to use the new update. Using the example of the Equifax breach with Apache Struts, it's possible that the developers of the Equifax website didn't notice that the Apache Struts software had been updated with a security patch. However, a more likely scenario is that someone at Equifax received the notice, estimated that the patch implementation would require significant resources, and pushed it low down in the work queue. This is a common recipe for security disaster but is surprisingly common in companies where management does not consider security to be a top priority.
The solution is to create software development processes to update all software on a regular cycle. Ideally, this is done via automated scripts that enable a software development practice called continuous deployment which is being increasingly adopted by leading technology companies. Continuous deployment allows new software updates to be pulled down, incorporated into code, and tested automatically. An entire software stack can be updated with minimal involvement of IT staff. However, even if a company chooses not to implement continuous deployment, there are plenty of other options to keep software up to date. The most important thing is to allocate time into normal development cycles for software updates to be incorporated. This practice can be reinforced by mandating a time period within which all software must be updated.
For Equifax, it’s likely there was another breakdown in their website security architecture. Whenever a public website needs to connects to a database with sensitive data, the best practice is to limit the website so that it can only access the smallest set of data that is required. This offers protection because if the website can’t access it, that means that hackers can’t access it by hacking the website. As an example, if social security numbers are not needed for a website, then social security numbers should not be stored in the database that’s used by the website. On the other hand, if social security numbers are needed, then the website can be restricted so it can only access that data from certain parts of the website and when accompanied by the appropriate credentials.
Other practices for keeping websites secure include:
-Have the IT team set up alerts so they are notified when any of the software packages they are using get updated.
-Set up detailed website logging with alerts for suspicious activity such as large amounts of data being accessed.
-Create written documentation of software code that identifies components involved in the reading or writing of sensitive data, with extra security checks for those components.
-Hold regular security training for software developers and IT staff. If outsourcing, make sure the outsourced staff are receiving high quality security training.