Monday, February 10th, the US government charged four members of China’s People’s Liberation Army who they say are responsible for the attack on Equifax in September 2017. With these charges the event is categorized as one of the largest state-sponsored thefts of personal identifiable data on record. The charging documents also give us more information on the attack than we had before. There are basic IT security steps we can now see were not followed by Equifax in the lead up to the breach. As small business owners we can learn a lot from the way customers’ data was mishandled, and how it was stolen.
Lessons we can learn from Equifax Update:
The original breach occurred because Equifax did not keep up with patches and updates. Apache Software Foundation found a vulnerability in its software which gave hackers the opportunity to access systems from anywhere in the world. As part of the announcement, Apache released a patch and instructions on how to fix the issue. Equifax ignored the announcement, did not patch their systems, and the Chinese hackers were inside Equifax’s systems within weeks, the DOJ report states.
Once inside Equifax’s systems, the hackers explored the databases looking for sensitive material. The investigation also revealed Equifax was storing personal information, including social security numbers, in an unencrypted manor. The DOJ report shows clients’ personal information stored in plaintext format. This means once the hackers were able to breach the systems, there were no other obstacles in their way once they found the data they wanted.
Along with these two blunders are a laundry list of missteps by Equifax making the data easier for the hackers to access. The FTC found Equifax stored administrative credentials on their servers in plaintext format, easily accessible if found. They were using long expired security certificates, another offense going back to patching and updating. They also failed to segment the databases, which would have limited the damage in the event they were hacked.
Once inside the database, the hackers had no trouble finding the data in easy to access formats, break it into small packages so it wouldn’t be noticed by network security, and extricate the data from the servers.
Equifax was a very large hacking event with a lot of publicity, but it follows the same pattern we see in the small to medium sized business world. It normally takes more than one thing to go wrong for hackers to be able to access private data. Adhering to a simple security framework would have prevented the attack altogether. At Quanexus, we use our Q-Stack as our security framework. As you can see, Patches and Updates are the second level in the security framework.
We released the first in a video series on ‘Getting Started in IT Security.’ The video series covers some of this basic framework to secure your company’s and customers’ data. Please subscribe and follow along to understand the first steps in securing your business data.
Quanexus IT Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.