Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

December 4, 2019

Just how does failing to patch lead to a prison sentence?

Perhaps one of the most prolific data breaches of our time, the Equifax 2017 scandal shocked and rocked the world; not just in the security industry, but everywhere. To think that a CIO could end up with a prison sentence (for neglecting a simple patch, in this case) seems crazy. But that’s exactly what did happen, and in this article we will walk you through the timeline of events that led to the breach occurring, when it was detected, reported and mitigated – as well as the repercussions of those held accountable for such a monstrous exposure of personal information.

The attackers were able to gain access to the Equifax databases simply because a patch, which was free to use and download, wasn’t installed when it should have been. On March 7 2017, the Apache Software Foundation released a patch for vulnerabilities discovered within its systems[i]; on March 9, Equifax administrators were told to apply the patch to any affected systems, but the employee who should have done so didn't[ii]. Whoever’s responsibility it was to make sure that fundamental security housekeeping like this took place, the onus must lie with the CIO who is responsible for implementing and overseeing such processes within their department. A harsh lesson to all CIOs and data owners out there to adopt a zero-tolerance approach to the upkeep of basic security maintenance such as patch management to avoid another horrific breach of this nature.

As we’ll discover later on in this article, the senior management of Equifax were hit hard but not quite as hard as the CIO. [iii]Although the CIO, Jun Ying, was not sentenced to prison for allowing a patch to expire, he did get locked up for 4 months for selling his stocks in the company in advance of the public announcement of the breach.


Timeline:

Equifax

[iv]May 2017 – personally identifying data of hundreds of millions of people was stolen from Equifax. Those details obtained included:

  • 146.6 million names, (694k UK)
  • 146.6 million dates of birth
  • 145.5 million social security numbers
  • 99 million address information
  • 209,000 credit cards (number and expiry date)
  • 38,000 American drivers' licenses
  • 3,200 American passport details.

July 29th 2017 – breach detected. [v]This means that the attack went undetected for a staggering 79 days – resulting in the attackers gaining access to multiple Equifax databases containing information on hundreds of millions of people during this time.

July 30th2017 – threat removed. Simply meaning that the missing patch was installed. Some might say ‘the horse has bolted!’ and they’d be right. However, to stop any further access for the cybercriminals, this was a necessary move. The next job was to assess the damage and [vi]hire the best PR firm in the land, ahead of the public announcement.

August 3rd 2017 - 4 days later, [vii]Equifax employees initiated the sales of their stocks, as detailed below:

  • CIO: 13%
  • President of US Ops: 9%
  • President of workforce: 4%


Plus various other Senior VPs.

September 8th 2017 – breach publicly announced. [viii]It took another full month of internal investigation before Equifax publicised the breach following initial investigations.

Over the two weeks following the announcement, Equifax stocks fell from 142.72 to 92.98 (34.58%)

October 2017 - [ix]the CEO, CIO and CSO all lost their jobs and were replaced following a rapid turnover.

May 2018 - [x]US Justice department investigated the sales in company shares, and the Federal Trade Commission investigated the breach.

September 2018 - [xi]UK ICO issues £500,000fine to Equifax. This figure would have been substantially larger if the breach occurred after the initiation of the GDPR deadline in May 2019.

It’s important to note here, that had this breach been committed after the GDPR mandate which came into force in May 2019, the fine would have been 4% of Equifax’s global revenue for the year. [1]Their global revenue for 2017 stood at $3.362B, meaning their fine would have been an eye-watering £135M.

June 2019 - [xii]The former Equifax CIO Jun Ying was sentenced to four months in prison for insider trading. He pleaded guilty earlier in 2019 for selling his stock in the company prior to the announcement that it had been hit with a massive data breach in 2017.


What can we learn from the Equifax breach?

There are many lessons that CIOs can learn from the Equifax breach, but the key points are prevention, detection, reduction and mitigation, as follows:

  1. Adopt and monitor basic security housekeeping. Equifax was breached because it failed to patch a basic vulnerability. Procedures to monitor and analyse whether patches have been applied are as important as the actual patching process itself.
  2. Once inside, the attackers were able to navigate from database to database and, in effect, take whatever they wanted. A service to monitor unusual network and account activity or a DLP (Data Loss Prevention) solution would have assisted in identifying the breach earlier if not preventing the egress of the data loss in the first place.
  3. CIOs must exercise much more stringent access management controls, and only allow access to certain databases by employees who need them for practical business reasons. A least-privilege access policy is the safest.
  4. Once identified, the management of the breach along with the mitigation of the impact should be passed to an incident committee. To make this committee effective, rehearsals and practise walk throughs of breach and incidents are necessary.


All of these lessons are painful. However, the cost of ensuring your basic security needs are met is nowhere near as painful as the cost and impact of a breach.

For more information on how you can adopt more effective security housekeeping methods or to ensure your business doesn’t hit the headlines for similar reasons to Equifax, contact our specialist Sales Team who will be in touch to discuss your requirements.