As each week brings the 25 May 2018 deadline for GDPR compliance closer to hand, we seem to be faced with yet another report highlighting poor levels of preparedness among organisations. Recent findings reveal that an astonishing 64% of UK firms have not yet begun preparations for the sweeping new data protection law. Yet as shocking as these stats are, a far more effective way to focus the minds of IT security and business leaders is to highlight some recent big-name data breaches and consider how the companies affected would have been treated in a post-GDPR world.
For Equifax, there’s particularly bad news: it’s likely the firm’s inadequate security and incident response would have landed it a fine of at least $69m, and probably a lot more. If nothing else, it should serve as a cautionary tale: get your house in order now, and to do so, follow industry best practices. It might seem like obvious advice, but while firms keep making the same old mistakes, it remains worth repeating.
A Litany of Errors
We’re still finding out details of what exactly happened at the credit agency that led to a breach of highly sensitive PII affecting 143 million Americans – almost half the population of the US – and 400,000 Brits. What we do know since its last update is that the firm was attacked after hackers exploited a vulnerability (CVE-2017-5638), in the Apache Struts web application framework. After noticing suspicious network traffic associated with its online dispute portal web app on 29 July, the firm says it took it offline and patched the bug the next day.
So far so good. Except not really. Further down the missive we read that “the particular vulnerability in Apache Struts was identified and disclosed by US CERT in early March 2017.” The firm goes on to say,
“Equifax’s Security organisation was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
Not only did the firm apparently fail to patch a known vulnerability properly, leading to a huge data breach, but it took six weeks to notify its customers. When it did, many complained that the website it set up – which subsequently was discovered to contain flaws of its own – looked like a phishing domain. In fact, Equifax even tweeted to customers in error several times a similar domain set up by a white hat hacker.
Perhaps, after this litany of mistakes, it’s no surprise that the firm’s CEO, CIO and CSO left the organisation.
Fines are Coming
It’s unclear how much Equifax’s poor patching would have cost the firm under the forthcoming GDPR, but it certainly contravened the law in failing to “implement appropriate technical and organisational measures” to secure customers’ personal data. We do know, however, that maximum fines for failing to notify within 72-hours are 2% of global annual turnover, or around $69m according to Equifax’s projected 2017 earnings. Equifax did nothing wrong legally in this regard as there’s no such requirement in the US, but it would have been in for a significant financial hit post-May 2018.
So, what can we learn from this cautionary tale?
Patching is a fundamental cybersecurity best practice – just as multi-factor authentication (MFA) and tight access controls now are. You’ll see it recommended by everyone from the NCSC to the SANS Institute and NIST. If you haven’t already, formulate a coherent patching policy and enforce it with automated tools.
Clear and effective incident response – another area of failure for Equifax – is also up there. You need to involve stakeholders from all over the organisation and most importantly test and update it regularly so it’s fit for purpose.
GDPR compliance can seem like a daunting task, but in reality those complying with the UK Data Protection Act will be a large part of the way there already. Follow those best practices and seek help from standards frameworks like ISO and NIST, and organisations there to help like the NCSC, the ICO and the European Commission’s Article 29 Working Party.
At Centrify, we’ll be taking this message on the road in the next few weeks. If you’re in the area, and want to find out more on how risk-based MFA can help protect your organisation and boost GDPR compliance as part of a best practice approach, we’ll be here:
It-sa: Nuremberg, 10-12 October
Gitex: Dubai, 8-12 October
Les Assises: Monaco, 11-14 October