Security Industry Responds to Massive Equifax Breach

On Sept. 7, credit monitoring and reporting agency Equifax admitted that it was the victim of a massive data breach that revealed personally identifiable information on 143 million U.S. consumers. Based on an initial forensic investigation, Equifax has determined that the attackers had access to Equifax’s systems for a two-month period this year, from mid-May through July. Equifax has provided sparse details on the cause of the breach, other than that it was a web application vulnerability. Security vendors, meanwhile, have been quick to comment and speculate on the root causes of the Equifax breach, as well as to offer their perspective on what Equifax and the victims of the breach should do next.

“With the personal details of up to 143 million Americans compromised, this breach acts as another reminder about the dangers of poor security design. Too often companies focus on features and functions and layer security on as an afterthought that must change. Hackers and cyber-criminals can quickly exploit any flaw in a web application without too much trouble, and this looks to be the case here.” —Andrew Avanessian, chief operations officer, Avecto

“The breach appears to be related to a website application vulnerability, which could be anything. But this all comes back to sound security development coding practices, active application scanning and testing, and integrating security into the engineering and development processes to make web applications more resilient.” —Chris Pierson, chief security officer, Viewpost

“No one is perfect, and everyone is being hacked in some way or another. Financial services have always been attractive targets for criminals, and this trend continues as everything goes online. It’s also not news that the cyber-security industry is facing a severe skills shortage. Teams are typically short-staffed, underfunded and doing the best they can. That’s why it’s so important to open up a channel of communication with the ethical hacker community to help surface critical bugs before they are exploited.” —Marten Mickos, CEO, HackerOne

“Once a Social Security number is no longer a valid means of identifying oneself, we have to establish a new, as of yet unknown, order. It’s of utter importance that ALL personal data is protected. In the short term, every American adult should request a credit check and monitor their financial records closely.” —Ebba Blitz, CEO, Alertsec

“The unfortunate Equifax breach is just another embodiment of the threat environment that organizations face every day—this is the new normal. The rise of large-scale data collection and aggregation has placed considerable pressure on organizations to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data, the greater the liabilities caused by a breach.” —Dr. Richard Ford, chief scientist, Forcepoint

“While we don’t yet know the full dimensions of the Equifax breach, where the most sensitive information of over one-third of the American population could have been exposed to cyber-criminals, tens of millions of us are now forced to look over our shoulders for the rest of our lives because tons of Social Security numbers, the skeleton key to our lives, are out there for cyber-criminals to steal and exploit.” —Adam Levin, chairman and founder, CyberScout

“The credit bureaus have made mountains of money monitoring Americans credit. The cyber-crime community is well aware that the bureaus house a treasure trove for data theft. It is my feeling that the majority of credit bureaus do not practice what they preach and have underinvested in cyber-security.” —Tom Kellermann, CEO, Strategic Cyber Ventures

“Consumers must assume their data is out there and available for sale on the dark web. They’re monitoring their credit because they’ve lost trust in companies to protect the personal data, but the answer isn’t more credit reporting—it’s privacy and security by design.” —Brian Vecci, technical evangelist, Varonis

“The Equifax breach not only affects nearly half of the U.S. population, it also includes personal data of residents in the UK. If this breach had occurred after May 2018, when the EU’s new General Data Protection Regulation (GDPR) goes into effect, Equifax could have had to pay penalties of up to $120 million (4 percent of global revenues).” —Pravin Kothari, founder and CEO, CipherCloud

“Just when we think the days of massive breaches are behind us, another company pops up and says, ‘Here, hold my beer and watch this!’
All joking aside, this is likely going to be the ‘breach of the year,’ if such awards were handed out. Over 140 million Americans have had their info potentially stolen. That’s over 40 percent of the entire population of the United States.” —Richard Henderson, global security strategist, Absolute