Equifax announced earlier this month that it was hit by a security breach that resulted in the loss of valuable data. The incident reportedly affected 145.5 million US customers of the credit reporting company, as their social security numbers, addresses, birth dates and other personally identifiable information (PII) were stolen by hackers. 15.2 million records from UK customers were also targeted.
The breach has shone a spotlight on the need for strict and effective policies on data management and protection. Sensitive personal data like PII is a particularly tempting target for criminals because it can be abused in a number of ways. Companies who store customer data should have strict policies and be very vigilant about their security since the data they collect is becoming an increasingly valuable commodity for hackers.
Listed below are some general guidelines and best practices that organizations should take note of.
According to the website Equifax put up to manage the crisis, attackers took advantage of the known vulnerability Apache Struts CVE-2017-5638 to access the data. The vulnerability is not new; it was publicly disclosed in the beginning of March and was patched soon after. Some experts noted that it required more resources and labor than usual to patch, which might be why many organizations did not update their systems accordingly. The vulnerability was already being exploited in March to compromise web servers of large institutions — attacks were “highly reliable and trivial to carry out,” according to experts. CVE-2017-5638 was classified as a critical vulnerability with remote code execution risks, and was actively being exploited. Taking those factors into consideration, it should have been a priority to patch for any organization despite the difficulties involved.
Patching may involve operational disruptions or additional resources, but the benefits outweigh the inconveniences. Any organization, be it a small business or a large multinational, should create an effective patching regimen that fits its enterprise. Organizations that store PII or other sensitive data should be even more careful and always be wary of current threats; many attacks use old exploits and can be prevented through updated patches.
The sheer amount of data stored by organizations requires some form of data management and classification. Sensitive and valuable data, of course, should be given priority in terms of security — and a prime example of sensitive and valuable is PII. Protecting the PII of employees and customers should be top of mind for any organization.
Operate on a need-to-know basis so that access to sensitive data is granted only to people who absolutely need it.
Rank data from low-value to high-value and assign protection based on the ranks.
Train employees or any individual who handles data on proper security policies, and emphasize the importance of proper data protection.
Authenticating an individual is a necessary part of most businesses, and there are many different identifiers that can be used. Most financial institutions like Equifax rely on social security numbers (SSN). But the Equifax breach has highlighted the complications of using SSN as a standard way of authenticating a person’s identity, which was never its intended use. Even the Social Security Administration has noted that the universality of SSN collection has led to its abuse. As stated on its website: “The universality of SSN ownership has in turn led to the SSN’s adoption by private industry as a unique identifier. Unfortunately, this universality has led to abuse of the SSN. Most notoriously, the SSN is a key piece of information used to commit identity theft.”
Privacy and security experts have recommended more modern ways of authenticating an individual’s identity. There are biometric options as well as tokens and unique passwords that can be given to each individual. In any case, businesses should look into alternative methods of authenticating customers’ identities, and the authentication process must have more variation and must not rely heavily on one specific identifier.
Sharing information between organizations
Organizations often have huge troves of data that they share with their partners or even third parties that help them with their operations. Sometimes the data is simply sent over standard communication lines or accessed through shared portals.
Organizations need to be vigilant about whom they share data with and who can access their databases. Third parties who process payments or otherwise participate in organizations’ operations should be vetted and verified to make sure their security is up to par. Any failings or shortcomings in this respect can lead to incidents like the 2014 breach of personal and payment information of more than 100 million Target customers, which reportedly exploited an HVAC vendor as its entry point.
In a data-driven economy, proper protection and management is a necessity for all organizations, regardless of size. As we have seen, inadequate practices can lead to devastating and long-lasting repercussions for the customers as well as the businesses involved.