Business, Consumer: Address the Equifax breach, now!

Many steps are yet to be undertaken, and then publicized, to allow the information security community to understand what happened at Equifax that led to their July 29th data breach.  Unfortunately, this community isn’t the priority.  The consumers and clients of Equifax must act quickly and cannot wait for the drip of information to be presented, if it ever will.

“The company maintains that its core credit reporting databases were unaffected—cold comfort given the scale of the breach that did occur. “It begs the question, if 143 million people could be affected and this does not touch your core, where were you keeping this data?” Alex McGeorge, the head of threat intelligence at the security firm Immunity, says. “Where does this data live that’s not your core?”[1]

Some starting (scary) stats regarding this breach based on news sources available today:

  • This isn’t the largest breach in history, although at 143MM potential records of extremely sensitive information, I argue it will be one of the most significant. Due to the material reliance on industry to identify customers and extend credit (or insurance, or employment, or housing, and more) and the reliance by consumers that this data is accurate and secured. I also predict that the court system will become involved and a standard for harm will become part of precedent.  It is hard to argue that every citizen relies upon this data and does not have the ability to control all of its sources.
  • At 143MM, if held true, as much as 44 percent of the US population will feel the impact of this breach for years to come, especially when it comes to their Social Security numbers. You can’t change your social security number as easy as a credit card number, and we all have been very slow to move away from SSN as an identifier.  Every new security product that is in development or that will be developed that relies upon this information as a method to identify customers, is already breached.
  • You can check if you are one of the potential victims at Call me cynical, but 1) I am sure you are, 2) everyone one of your clients is likely to be as well, and 3) should you trust Equifax with more of your private information just to see if they lost it already?
  • KrebsonSecurity writes that the free link to see if you are affected is marked as a phishing site by OpenDNS, and responds to bogus information.[2] In fairness, TrendMicro responds as “safe”.[3]
  • The breach took at least 30 days to discover, occurring mid-May and July, per Equifax. The company said it discovered the hack on July 29. It took another 40 days to make the incident known to consumers and clients. That is 70 days from breach to publicity.

What you should be doing now, as a business reliant upon Equifax:

  • Look at your risk assessments. Many authentication workflows are provided by vendors who ask “out of wallet” questions to validate the identity of users.  A significant number of these OOW questions are pulled from Equifax.  This undermines any conclusions that your able to positively identify your customer by answers to these questions alone.  There are other means to isolated normal client behavior (geography, IP, OS, etc).  Find out if you can be using these.
  • Online account opening processes should become very stringent.
  • Notify your customers and have them take advantage of the free credit reporting offer from Equifax.
  • Consider restricting your information sharing with Equifax until the source of the breach is identified.
  • Many Vendor Risk Programs exclude credit bureaus (and auditors, legal professionals, examiners, etc) from required due diligence procedures. Consider changing that position.
  • Do not go buy the newest firewall or Advance Persistent Threat package out of fear. Two things are likely true:
    • Equifax was using very sophisticated software and spent a heavy fortune on analytics and security.   The IT personnel are top notch, both operationally and security-wise.  The odds of you finding success or the “leading edge” provider that will protect you better than Equifax is likely slim.
    • We don’t know the root cause yet. Was it Equifax, was it a vendor who Equifax used for storing databases?  We already know that we don’t know…where your data was stored is unanswered at this time.  It is a fair question to ask if Equifax knows.  Many layers of controls were likely compromised for this to occur at the level we perceive to be the case.
  • If you are storing nonpublic information, you better go inventory it now. Whomever you use or trust as a vendor, go do it.  Everyone of your clients is trusting you to secure their information every day, not just one audit a year, and you know that the information you will use to provide that data to a external party was just compromised.

What you should be doing now, as a consumer:

  • Accept that your private, nonpublic, identity is likely now hacked and in the hands of people who should not have it. Assume they will use it at some time in the future and recognized that may be a few years away.
  • Freeze your credit.
  • Sign up for credit monitoring.
  • Go ask your bank, your credit card, your insurance, what they are doing to protect you.
  • Read your annual privacy notices.
  • Stop automatically sharing your information on your smartphones and tablets when you use a new app, or on Facebook, etc.
  • Reconcile your account statements.
  • Balance your checkbook.
  • Use credit instead of debit when possible.

I am sure there is more to do, and more will come out to add to the list.  I encourage you to take notice as a business owner.  If you can’t state who’s NPI is where (not what you take, but whose you have), you need to take steps now.  You are accepting the risk of customers who did not authorize you to do that.  As a consumer, take control over your information and be diligent with who you decide to share it.


Thank you.

Paul B. Hugenberg, III / Chief Executive Officer / InfoGPS Networks, Inc.

Paul is a 25 year veteran in the information risk profession with extensive experience in the performance of information risk assessments for the financial and healthcare industries, has performed several third-party audits (now SSAE16, formerly SAS70) for significant industry vendors, created and implements NIST-based and ISO-based policies for several organizations.

A Certified Information Systems Auditor (CISA). Certified Information Systems Security Professional (CISSP) and also Certified in Risk and Information Systems Control (CRISC); Mr. Hugenberg has held the chief information officer role as well as the chief information security officer and IT Auditor for institutions ranging from $400M to $16B in assets.

A full profile of Mr. Hugenberg can be found at, along with several articles and blogs regarding the practice of risk and governance.