Last week Equifax disclosed that vital data such as name, date of birth, and social security numbers were compromised by a cyber security breach. Equifax reported they discovered the breach on July 29, but they didn’t publicly announce the hack until six weeks later. The lag time can be explained because federal agencies were investigating the breach and Equifax did not want to compromise the investigation.
This latest attack follows successful breaches of companies such as Choice Point, Home Depot, Sony, Target, and countless other companies housing personal data and information.
Officially, Equifax indicates that “criminals exploited a U.S. website application vulnerability” to gain access to personal information of 143 million Americans.
To determine if your information was compromised, go to equifaxsecurity2017.com, or call 866-447-7559. Equifax is offering free credit monitoring for a year, which people can sign up for at the website.
Weekly we receive reports about businesses, small, medium, and large as well as government agencies being “hacked” or breached. Valuable information such as trade secrets and personal identifications have been successfully compromised at an enormous price.
What should your company do when a breach is discovered?
The first step is to assess the degree of damage and what was stolen from the system. At this point the CEO, or CFO, may want to consult with a cyber security firm rather than depend on in-house IT employees or before a federal agency has been contacted. Several reasons exist to get a third-party review.
The first reason is you are not certain that an inside employee was not involved in the breach. A United States Secret Service & Carnegie Mellon study revealed that an inside employee is involved in data theft 37% of the time there is a breach and data is stolen. Second, your IT staff may not be proficient in a cyber intrusion investigation and they could compromise valuable evidence that would destroy chain of custody and render the case both civilly and criminally ineffective. Third, you don’t know whether someone from your IT department is involved with the breach by colluding with the hackers. Fourth, if your IT staff is effective in identifying the intrusion and the intruder and the case goes to court, a good defense attorney could impeach the witness by claiming the employee slanted the evidence against his/her client because they worked for the company.
Once the damage assessment has been made, the company should notify a federal agency if it is determined that personal data or trade secrets have been stolen. The United States Secret Service generally responds to breaches of personal data for identity theft and financial data. The FBI responds to breaches of critical infrastructure and terrorism. However, both agencies work very closely together and are part of the Cyber Crime Task Force.
At some point the company has a fiduciary responsibility to notify every customer or person in the system that their information has been compromised, while at the same time extracting the malware or correcting the breach. California was the first state to enact the “breach law” that instructs companies and government agencies to notify. The only caveat to the breach law is if the information stolen was encrypted or a law enforcement agency is involved in the investigation. However, when the law enforcement agency has completed their investigation, there is still a demand to notify.
Lastly, every company should conduct an IT & physical security risk assessment to identify weaknesses in their system. A security assessment should be followed with recommendations and implementation of a layered approach to security.
However, this does not ensure a breach will not occur. It is incumbent upon the company to have an emergency contingency plan to identify “hot sites” and “cold sites”, before the system is compromised. When a breach does occur, it is imperative that your company move unaffected data to another server or "hot site" to continue your flow of business. Without an effective contingency plan, you could be shut down for an extended period of time or worse, out of business.
Ron Williams, CFS
United States Secret Service-Retired