Infographic The true cost of the Equifax Breach

Who's Accessing Your Data? This Infographic is a timeline highlighting the cost of the Equifax breach… so far! It has reported clean-up costs of $ 1.4 billion to date. They received $125 million in cybersecurity insurance reimbursement and the costs continue to rise.

Equifax reported 8^th September 2017 that 143 million consumer records may have been stolen in a massive global data breach. Data included names, addresses and dates of birth, as well as credit card numbers in a smaller number of cases. With UK consumers, the information which may have been accessed is limited to:

• Names
• Dates of birth
• E-mail addresses
• Telephone numbers

Equifax stated that no UK consumers had residential addresses, passwords or financial data accessed.

The attack occurred between 13^th May 2017 to 29^th July 2017. It wasn’t discovered until 29^th July 2017.

The UK ICO issued a £500,000 fine to Equifax for failing to protect the personal information of up to 15 million UK citizens during the cyber attack in 2017.

The Canadian Office of the Privacy Commissioner has required Equifax’s Canadian division to sign a compliance agreement mandating Equifax submit third-party audit reports on both its security as well as the security of its parent company every two years, for the next six years.

Equifax is paying the ultimate price as its latest figures report a loss of $559.9 million for its first quarter ending March 31^st, 2019. The resulting legal costs and investigations haven’t stopped taking a big bite out of the company’s bottom line.

Impact:

• 143 million consumers globally had data stolen (mainly US, Canada and 15 million UK citizens)

Five main factors of the cyber breach:

1. Identification
2. Detection
3. Segmentation
4. Data Governance
5. Failure to rate-limit database requests

Failures that led to the Equifax breach:

• The exploitation of a known vulnerability on an unpatched Apache Struts server. Homeland Security had issued details of the vulnerability some months beforehand.
• Persistent attackers went undetected for months.
• Discovery of an unencrypted file of passwords on one system allowed lateral movement across multiple other systems.
• Attackers were unchallenged when they sent over 9000 queries to 51 databases containing unencrypted consumer credit data.
• 265 separate data exfiltration opportunities were missed due to the network monitoring system being inactive for 19 months as its security certificate had expired.

The former CIO reported that had Equifax patched the vulnerability within 2 days of patch release, the breach could have been prevented.

Breach costs may continue and it is impossible at this time to estimate the additional possible loss in addition to the amount already accrued.

Cyber-attacks of this nature prove the reasons for investing in your security systems and why it’s important to do the basics and maintain them. You may also find Cyberseer's additional cybersecurity resources below useful:

8 reasons for detecting and investigating a security incident with a Managed Security Service Provider (MSSP) here

Cyberseer - Managed Security Service Partner