Assessing Big Picture Risk Through the Lens of the Equifax Breach
Authored by: Joshua Marpet – COO, Red Lion & Janice Paulson – Data Scientist, Red Lion
Red Lion has no intimate knowledge of why or how the Equifax breach occurred. Red Lion was not involved in the security planning, implementation, or strategy for Equifax, nor have we been consulted for the incident response, crisis communications, or any aspect of Equifax’s security, compliance, security testing, etc.
Your Personal Data and Privacy
Equifax holds information about the bulk of all Americans who participate in common banking and credit transactions. They gather this information from your credit applications such as mortgage paperwork, car loans, and credit cards. They buy information about your address, family members, and other personal information from various sources, and re-sell, along with their assessment of your credit worthiness to banks and other lending institutions.
You consent to this every time you participate in the banking or credit lending system.
Equifax was breached sometime in mid-May 2017. They didn’t discover they were breached until July 29th, 2017, upon which they report taking immediate corrective and investigative actions. To be honest, that’s not bad. The typical dwell time (how long a cyber criminal is in the system before being discovered) is typically months to years.
It is currently thought that they were breached using the Struts framework. According to the Apache press release, it was either through an unpatched Struts install, or a zero-day vulnerability, which could not be anticipated.
Data Breach Disclosure
Forty-eight states, the District of Columbia, Puerto Rico, and other territories, have laws around data breach notification. Some of these laws require notification within 30 days, 45 days, or 60 days, while some are nonspecific and stress expediency and without unreasonable delay, or depend on the type of data breached. Equifax, with information on 143 million people at risk, chose September 7th, 2017 to disclose their breach publicly. This is just under the 45 day limit of September 12th, 2017. It appears that they could have potentially breached any laws for states which require notice to occur within 30 days or less. Florida is one such state, however, FL may permit an extension request of up to 15 days with appropriate documentation of the circumstances for delay. The UK breach laws are working on improvements to require notice within 72 hours and Canada doesn’t appear to have a date requirement yet, rather uses a feasibility clause.
Here is where Equifax fell down, in our opinion. The reporting structure of the security organization is hugely important. Who makes the decisions? Who feeds the decision makers with the proper information? How many levels are between the people with the information and the decision makers who need to consume and have the authority to act on that information?
“This finding comes from the 2014 Global State of Information Security Survey, conducted each year, for more than a decade, by PwC, CSO and CIO magazine. I’ve not previously called-out this data because I thought this argument had been put-to-bed…apparently, I was wrong. So here it is:
with more than 9,000 respondents from around the globe, the survey found that those organizations in which the CISO reported to the CIO experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO and, when the CISO reported to the CIO, financial losses were 46% higher than when the CISO reported to the CEO. In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents”
But how common is this in corporate America? Unfortunately, all too common.
Let’s examine Equifax.
Following a breach, it’s not uncommon for an organization to publicly fire the various members of corporate or security leadership or for them to quietly take positions elsewhere all in the same month according to LinkedIn profiles. So it’s time to play musical chairs!
According to a LinkedIn profile, which is now inaccessible, Susan Mauldin has been Equifax’s Chief Security Officer (CSO) since 2013 after several “Professional” job titles at various tech companies and a Bachelors in Music. Some past positions may have included security leadership. This has generated some scrutiny and many critical things have been said about her online
Joseph M. Loughran III is a Harvard educated lawyer who has been in various leadership positions for Equifax since 2006. In June 2017, he transitioned from being the Chief Marketing Officer (CMO), to the President, U.S. Information Solutions. His new job responsibilities now include “insights related to risk management, identity & fraud.”
David Webb has previously won industry awards in his role as Chief Information Officer (CIO) and joined Equifax in 2010. According to the captures of the corporate leadership page, his job responsibilities have not changed over this past summer.
The CSO, Susan Mauldin, was not listed in corporate leadership before or after the breach discovery, suggesting that there are 1 or more people between her and the CEO with both greater authority and seniority in the company.
Having multiple people between the primary information conduit, and the primary decision maker has already been demonstrated to be a less effective security posture. This means that her prior background as a music major before what appears to be a long career in the tech industry is interesting, but not necessarily indicative of a problem.
Equifax failed, in this case. Without even going over how they tried to avert anyone starting a class action lawsuit, how they initially appeared to be using an EULA-like shrinkwrap agreement to get everyone to agree to arbitration, or even how they told everyone possibly affected to come find out if they are affected, rather than specifically notifying everyone involved, as they may eventually be required to do.
They failed before they even got breached. They failed because they did not fully understand risk, in our opinion.
Clear communication is vital in a corporate environment, especially a larger one. Crisis communications are vital. Clear communication to the press, to the public, to the affected victims, to staff, from executives who are authorized, informed and prepared.
Information and Decisions
Collecting, aggregating, and utilizing information, is a clear responsibility of the C-level execs. Adding complexity to that chain introduces an opportunity for failure. From information collection and aggregation to decision making, the shorter the decision chain, the better the results.
Testing and Preparing
Did Equifax do table-top risk exercises? Did they have penetration tests performed? Did they have independent third parties check that their compliance was not merely “having the boxes checked”, but actually helping their security maturity? It is likely the results of these questions may become public knowledge as part of a future Senate hearing.
Executive Misbehavior or Miscommunication?
Trey Loughran, the Harvard educated lawyer who is now the President of U.S. Information Solutions, responsible for “insights related to risk management, identity & fraud”, was one of the three Equifax executives who collectively did an unplanned dump of 1.8 million worth of Equifax stock on August 1-2, 2017. The stock sales started Tuesday after the Saturday breach discovery, but weeks before the public disclosure. Equifax claims these execs were not informed of the breach. Either Trey was not informed, which would be indicative of the communication issues that too much distance in security leadership causes or Trey was informed, and that may have led to potential executive malfeasance. Either of these scenarios is cause for concern and at a minimum, cause for all publicly traded companies to strongly consider some training and policy changes. Breach recovery is expensive enough without adding to it the need to devote resources towards SEC investigations.
Will Equifax or its employees ultimately profit from this breach? There were, according to Equifax, 143 million people, US, UK, Canada, involved in this breach. There are, in the US alone, approximately 350 million people. Effectively, Equifax is getting all of them, in a panic, to check if they were affected, and even if not, to potentially buy credit freezes or monitoring services from Equifax.
So, realistically, looking with a ruthless eye, Equifax had a horrible breach, and may have attempted to leverage the breach into an amazing marketing opportunity, all in one fell swoop!
Listen to Josh Marpet discuss more with WDEL’s Rick Jensen
Read Other Articles from Josh Marpet and Red Lion
 Verizon (2017) 2017 Data Breach Investigations Report (DBIR). Retrieved from http://www.verizonenterprise.com/DBIR/
 Bragdon, B. (2014, June 20). Maybe it really does matter who the CISO reports to. CSO. Retrieved from http://www.csoonline.com/article/2365827/security-leadership/maybe-it-really-does-matter-who-the-ciso-reports-to.html
 https://www.linkedin.com/in/susan-mauldin-93069a (no longer available)
 Literally, “Professional” was her job title.
 Using the Equifaxsecurity2017.com website, rather than notifications.