The Voice of the Industry: The wider implication of data breaches
Fri 10 Nov 2017
If you follow technology news, it’s hard to go a day without hearing about a company or organisation having its systems breached and personal data being leaked to nefarious characters.
Two recent leaks, though, have been particularly galling. The hack of Equifax’s database is significant for a number of reasons, but perhaps primarily because the company’s database holds incredibly sensitive data on a majority of the American population. News has also broken more recently that the initial estimate given by Equifax on the hack’s impact in the UK was low.
UK member of parliament Nicky Morgan has written to both the Financial Conduct Authority (FCA) and Equifax, questioning the company’s behaviour following the breach. The letters have revealed interesting details – such as the UK’s finance regulatory body, the FCA, initially finding out about the hack’s impact in the UK through press reports.
The Paradise Papers scandal has shocked the world. In a similar turn of events to the Panama Papers, it transpires that a large number of the rich and famous, as well as major companies, are engaged in somewhat questionable tax practices. Whatever your opinion on the political and governmental implications, it’s hard to deny that a cyber breach that led to the Queen’s tax affairs being put under scrutiny is big news.
The Stack asked a number of experts, from cybersecurity to media law, about the many questions that arise from these types of breaches.
Sean Masters, Senior Program Manager at Zerto, on Equifax’s need to change
Equifax, like many other large organisations, needs to stop thinking that it has everything under control because based on current events that just isn’t the case.
Based on a recently released Equifax Investor Relations FAQ which notes that capital allocations will not change, the impression that Equifax is giving is that anything it has changed since the breach has been done with existing resources – hardware, software and personnel. This implies that Equifax believes that it should have been able to prevent this breach with what it already had in place.
In short, based on what is publically available, Equifax seems to have changed very little since this very public data breach.
Equifax, like many other large organisations who have experienced major attacks and breaches recently, needs to stop thinking that it has everything under control because based on current events that just isn’t the case. All organisations need to start bringing IT resilience-minded employees and vendors in, and give them a seat at the table. The “bad guys” out there have no problem acting proactively and aggressively when it comes to new techniques and tools, so why would a business, when trying to protect its customers and their data, act any differently?
Michael Marriott, research analyst at Digital Shadows, on Equifax’s disclosure process
Equifax appeared to have been caught on the hop with its overall disclosure process. As bad as the breach has been for consumers in the UK, the situation has been far worse in the U.S. with some speculating that up to around half of the population has been affected in some way. And the data exposed in the U.S. – social security numbers, for instance, is potentially far more damaging than that in the UK. As such, Equifax appears to have put the majority of its efforts into disclosure in the U.S. and neglected its customers in the UK and Canada during this initial breach disclosure. Even if still under investigation it should have alerted the FCA ahead of it finding out through the media.
The EU GDPR regulations will change the breach notification game and firms will be compelled to step up their data breach reporting.
Richard Morrell, CTO at Falanx Group, CISO of the Cloud Security Alliance, and The Stack’s consulting security editor, wrote shortly after the Equifax breach
As both a security professional and a security commentator, I have a foot in two distinct camps. One to tell the story accurately and the other to point out a salient security reality. A reality where the scorn and fury pointed at Equifax could be better harnessed as a wake-up call to every company on the planet to realise that there is a substantial and very real gap emerging that cannot be ignored.
For every major organisation where the IT department comprises of engineering, operational IT, developers, and potentially program managers, the shortfall is in security where an insufficient headcount bridges the gap between risk and stability. The gap between developers and security personnel has never been bigger. Traditional change control is still not aligned with today’s need for continuous integration and continuous development environments.
Chester Wisniewski, Principle Research Scientist at Sophos, on the need for law firms such as Appleby, which held the ‘Paradise Papers’ information, to adapt to modern cybersecurity
Until recently, encryption of sensitive documents was difficult, meaning that terribly sensitive information is available to both malicious insiders and organized criminals
Law firms are common targets in many different kinds of attack. Firms that deal in controversial or high-value clients, in particular, are targeted for both political and financial reasons. Until recently, encryption of sensitive documents was difficult and is still largely not a common practice at most firms, meaning that all of that terribly sensitive information is available to both malicious insiders and organized criminals alike.
Most firms rarely implement strict access controls per user, so they don’t accidentally prevent a partner or others from completing work in an often high pressure, high-stress environment. This has led to many law firms falling victim to ransomware attacks that are devastating in their ability to spread and lock up critical client files. In addition to stricter access controls, the best way to lock down files with sensitive information is to implement an encryption solution that automatically makes documents inaccessible to all but the creator and their team. This combined with timely backups will protect data from malicious insiders, outsiders and ransomware.
David Acheson, lecturer in media law at the University of Kent, on Appleby’s comments, which stated that journalists should not be using information gained illegally
It’s a really complicated situation, but Appleby’s comment seems a bit off. Most journalists would say that the fact that a source has acted unlawfully doesn’t itself determine whether or not it’s ethical to publish the information they’ve revealed. That the papers seem to reveal significant hypocrisy (and possibly illegality, although as I understand it Appleby disputes that) on the part of powerful people and organisations would suggest to me that publishing stories based on them would (subject to normal standards of verification) be ethical, regardless of the motive of the source or the lawfulness of the leak.
Appleby’s statement about journalists’ ‘political objectives’ is odd – the ICIJ spreads the investigative work around so many different journalists and media companies that it seems unlikely that you could sensibly attribute one set of ‘political objectives’ to all or most of them.
Last week: Is the UK an attractive investment prospect?
Come back next week for more new takes on hot topics.