← Return to the Database

The Equifax and SEC Data Breaches: Takeaways, Reminders & Caveats

By Kevin La Croix (The D&O Diary).
28 September 2017 

It has been a busy time for cyber-attacks. Equifax, one of three elite repositories of personal credit information, and a trusted source for personal security and identity theft defense products, disclosed a cyber-attack that could potentially affect 143 million consumers — nearly half of the US population. The accessed Equifax data reportedly includes sensitive information such as social security numbers, birthdays, addresses, and in some instances, driver’s license numbers — a virtual treasure trove for identity thieves.

SEC Chairman Jay Clayton also announced a data breach into the SEC’s EDGAR system, a vast database that contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. Accessing that information before it’s disclosed publicly could allow hackers to profit by trading ahead of the information’s release.

The impact of these two recent data breaches will be unprecedented. Equifax, a company that charges its customers for protection and fortification from hackers, apparently cannot even protect itself from that very threat. Meanwhile, tasked with the enforcement of cybersecurity standards for financial firms such as brokerage firms and investment advisers, the SEC may have failed to meet data security guidelines and advisories that they themselves have promulgated. Moreover, as the guardian of U.S. capital markets and sworn protector of investors, the SEC may now unwittingly become a securities fraud kingpin, inadvertently sourcing ironclad tips of nonpublic information to an online stock trading ring.

No doubt that the irony of the Equifax and SEC cyber-attacks is glaring, proving once again that truth can be stranger than fiction. But lost amid the predictable condemnation, outrage and mockery are a few important takeaways worthy of attention.

The Upside Down World of Data Breaches

Despite the inevitability of data breaches, and the fact that many data breaches are acts of state-sponsored terror, there still remains an instinctive tendency to blame the victim. This misdirection seems unfair to say the least.

For instance, when Senate majority leader Charles Schumer lambasted Equifax, accusing its executives of “the greatest instance of corporate malfeasance since Enron,” he sorely missed the point. For the public to expect companies like Equifax or government agencies like the SEC to avoid data breaches is not just unrealistic and lofty, it’s absurd. Trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year.

Chairman Clayton admitted as much in his extraordinarily candid disclosure of the SEC data breach, stating that, “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.” Chairman Clayton has clearly signed on to then FBI director James Comey’s 2014 proclamation that, “There are two kinds of big companies in the United States. Those who’ve been hacked . . . and those who don’t know they’ve been hacked.”

The breaches of Equifax and the SEC are not at all surprising, and in truth, should not shock the conscience of anyone who has been paying the slightest attention to the data breach landscape. For years, legions of soldiers from across the globe (e.g. from China, North Korea and Iran) have woken up each morning with only one mission: to attack American computer systems and exfiltrate whatever data and information they can. The SEC in particular joins a lengthy list of government agencies who have experienced devastating cyber-attacks including:

• The Pentagon Joint Strike Fighter Task Force (April 2009);
• NASA (March 2012);
• Department of Energy (February 2013);
• Federal Election Commission (December 2013);
• US Postal Service (September 2014);
• National Oceanic and Atmospheric Administration (September 2014);
• White House (October 2014);
• State Department (November 2014);
• Department of Defense (April 2015);
• Internal Revenue Service (May 2015);
• The US Army website (June 2015); and
• The Office of Personnel Management (June 2015).

Digital Forensic Investigations Take Time

When a data breach happens, the public’s demand for immediate answers is understandable. Lifesavings are at risk while the perpetrators of hacking schemes are rarely identified, let alone captured and prosecuted. However, in the aftermath of most data breaches, there exists no CSI-like evidence which would allow for speedy evidentiary findings and rapid remediation.

The most effective cyber-attack investigative methodology is a tedious and exhaustive iterative process of digital forensics, malware reverse engineering, monitoring and scanning. As analysis identifies any possible indicator of compromise (IOC), investigators examine network traffic and logs, in addition to scanning system hosts for these IOCs. When this effort reveals additional systems that may have been infiltrated, investigators will then forensically image and analyze those systems, and the process repeats itself. Armed with the information gathered during this “lather, rinse, repeat,” phase, investigators can detect additional attempts by an attacker to regain access and begin to contain the attack.

While some breaches may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other stumbling blocks. The evidence among the artifacts, remnants and fragments of a data breach is rarely in plain view; it rests among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity.

In short, the evidence analyzed during a data breach response is a massive, jumbled and chaotic morass of terabytes of data. That is why the investigation of a data breach can take weeks, perhaps months, before any concrete conclusions begin to take shape. Rushing to judgment not only creates further confusion and expense, but it also undermines the objectivity, truth and confidence that the public deserves.

The Cybersecurity Personnel Crisis

The greatest virtual threat today is not state sponsored cyber-attacks; newfangled clandestine malware; or a hacker culture run amok. The most dangerous looming crisis in information security is instead a severe cybersecurity labor shortage, with experts predicting 3.5 million cybersecurity job openings by 2021. Like modern-day fighter pilots, cybersecurity professionals are not merely a company’s elite corps of talented professionals with special skills, the company also cannot win the (cyber) war without them.

Academia has unfortunately failed to keep up with industry trends and is not producing enough data cybersecurity specialists to handle surging demand. According to one recent study, only a handful of the 50 top university computer science programs in the U.S. require that students take even one cybersecurity course. There exist world-renowned schools and academic programs of law (despite an extraordinary glut of attorneys and 200+ accredited law schools); business (despite the decreasing value of an M.B.A. and almost 400 U.S. business schools); and journalism and politics (as if we need more pundits). Yet there remains a dearth of campuses dedicated to computer science, cybersecurity and data breach response.

Cybersecurity threats are also constantly evolving, so that by the time students’ graduate, some lessons are already obsolete. Meanwhile, the nature of the legion of cyber-attackers has similarly progressed, from “black hat” hackers and profiteers to organized cyber gangs and rogue nation states.

In short, a cybersecurity patch of employees cannot sprout overnight – it takes time. The cybersecurity field is a lot like the medical field; building a skillset takes experience as an intern, resident and attending. Meanwhile, the nature of the legion of cyber-attackers continues to evolve, from old school hackers and profiteers to organized cyber gangs and rogue nation states.

Disclosure Delay

Now “retired” Equifax CEO Richard Smith told a breakfast meeting in mid-August 2017 that data fraud is a “huge opportunity,” allowing Equifax to sell consumers more offerings. Smith touted the company’s credit-monitoring offerings, according to a video recording of the meeting at the University of Georgia’s Terry College of Business, and declared that protecting consumer data was “a huge priority” for the company.

But what the Equifax CEO failed to mention was that less than three weeks earlier, Equifax had apparently discovered a potentially massive data security incident and that Equifax had called in expert incident response firm Mandiant, to investigate. Yet, it was not until a few weeks later on Sept. 7, that Equifax disclosed the massive data breach to the public.

The SEC apparently undertook a similar route of delayed notification. Reports and SEC Chairman Clayton’s testimony before the Senate Banking Committee indicate that the SEC data breach was discovered in 2016, and the possible illegal trades were detected in August of 2017, but the SEC did not disclose any information about the incident until September 20th.

Both teams of SEC and Equifax senior executives have angered their constituents with their arguably sluggish disclosure. Both entities probably focused too much upon what they were legally and contractually obligated to disclose, rather than taking a more holistic approach to the question. Moreover, both Equifax and the SEC failed to heed the realities of “incidental disclosure.”

Incidental disclosure

Read more...