D. Justhy's Blog

"Getting to Yes, Now!"

Equifax Data Breach: Humbled by a Business Strategy Breach

Google “security breach” and one of the first items of news you’re likely to come across would be about the recent breach at Equifax.

The Equifax hack led to the exposure of personal information that belonged to over a 100 million people. Naturally, the magnitude of the breach has stirred up discussions concerning ethics, legal liabilities, and public relations. Of course, Equifax has found itself in a great dilemma.

Now, we could spend all day debating where Equifax went wrong and what they should or could have done. However, that would be counterproductive. The best thing that other organizations can do right now is to learn from the mistakes made by Equifax. Here are a few key ones that are worth the observation.

Failure to protect data

The first round of reports placed the blame on an ignored bug within the Apache Struts application.

Now, we aren’t going to argue the authenticity of this report. But, it’s safe to assume that there were other vulnerabilities that existed as well. Single vulnerability points are rarely known to lead to breaches of this magnitude.

There are a few key questions that we need to ask. Firstly, why was so much data made available to a web application? Secondly, could there have been protective measures in place to avoid this kind of a compromise? Thirdly, should Equifax have assumed possible vulnerabilities in the web application?Finally, did Equifax do enough to prevent a data leak?

The answers to these questions need to deal with both, what caused the failure and what could have been done to prevent failure. It is necessary to look at the complete architecture in order to make sure that a single vulnerability does not impact the entire system. There must be other components withinthe architecture that can prevent further compromise.

Failure in detecting an intrusion

If protection doesn’t work, there must be robust detection capabilities in place to know that an intrusion is taking place. Equifax made a major mistake by allowing a single system to have access to all the data. Data access is a major area of concern and organizations must have the tools to assess data access at all times.

For example, network analytics is great when it comes to detecting strange or “out of the blue” activities. Similarly, behavioural analytics can be used to detect out of the ordinary access patterns.

It’s certainly NOT an IT only problem, especially in the digital age

 Most businesses which consider themselves to be ‘traditional’ in nature, would argue that these matters are for the back offices. However, the business models suitable for the digital age, would not tolerate that view point but would instead consider a business model that creates value in the digital age, and this would indeed consider the matter of data security well within the business strategy as well as the business model.

A data breach is breach to the business strategy.  Let’s have a business strategy that will minimize, prevent and then eventually eliminate data breaches