In what at first appeared to be contradictory reports, Equifax Ltd (UK) issued a statement on Friday confirming that UK systems are not affected by its recent US breach, while also stating that: “Regrettably the investigation shows that a file containing UK consumer information may potentially have been accessed.” Earlier reports put this figure at up to 400,000.
The reason is that Equifax Ltd (UK) and its TDX Group systems and platforms are reported to be entirely separated from those impacted by the 7 September Equifax Inc Cyber-security breach in the US However, a UK file potentially accessed, “...was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.”
It is reported that this information comprised: Name, date of birth, email address and a telephone number and but not any residential address information, password information or financial data. Following its initial assessment Equifax expects to contact “fewer than 400,000 UK consumers” to provide advice and reassurance.
Equifax says it believes identity takeover is unlikely for the UK consumers who had their data potentially accessed but is nonetheless offering those affected a free identity protection service.
There is an ongoing investigation by Equifax Ltd whic is also ‘in dialogue' with the Financial Conduct Authority and Information Commissioner's Office.
Patricio Remon, president at Equifax Ltd said: "We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward."
In the US, the company's chief information officer (CIO) and chief security officer (CSO) are retiring, the credit monitoring company said Friday.
The company, which didn't provide any information on the two executives, is now under investigation by the US Federal Trade Commission (FTC) and faces at least two House committee probes for what Senator Chuck Schumer, D-N.Y., called "one of the most egregious examples of corporate malfeasances since Enron."
An FTC spokesperson told Reuters that the FTC has launched a probe. "In light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach," the news report cited FTC spokesman Peter Kaplan as saying in an email.
The House Committee on Science, Space, and Technology, and the House Committee on Oversight and Government Reform are going to investigate as well, Reuters reported.
Equifax's CEO, Richard Smith, will also testify before a House panel on 3 October.
Schumer suggested that Smith and the company's board should resign if they don't quickly take the initiative - including notifying customers and allowing credit freezes for 10 years - to protect consumers.
"We need to get to the bottom of this - the very bottom, the murky bottom, the dirty bottom," the senator was quoted as saying.
Bloomberg had earlier reported regulatory findings indicating between 1 to 2 August, days after Equifax discovered the breach, its chief financial officer John Gamble sold US $946,374 of shares in the company, Joseph Loughran, president of US information solutions, sold US $584,099 worth; and Rodolfo Ploder, president of workforce solutions, sold $250,458. Company spokesperson Ines Gutzmer told Bloomberg that the three executives "sold a small percentage of their Equifax shares" and "had no knowledge that an intrusion had occurred at the time."
Dan Panesar, VP EMEA, Certes Networks, responding to news that Equifax's CIO & CSO stepped down emailed SC to comment: .”It is ever more apparent that not only is maintaining traditional approaches to cybersecurity an open invitation to hackers, but also that the mindset of most CIOs and CISOs needs to change.
“It's all good and well having the buck stop with the CIO when a breach occurs, but when are boards going take a holistic view of their risk profile, and empower dedicated security teams working under the supervision of the CIO to have full control over policy and implementation?
“Current solutions are flawed and follow an outdated approach to security. Companies - including every single member of the C-suit - must change to a Zero Trust security posture so that when updating their technology, it follows a new, innovative mindset, rather than continuing the insanity cycle with the next generation of flawed technology.
When news emerged that the cause of the breach was a missed patch, many in the industry agreed that Equifax now had no excuse. Amit Yoran, CEO of Tenable Network Security emailed SC Media UK to say: “Once again, we have a basic failure in cyber-hygiene causing a massive data breach. The Equifax breach is the latest example of a known vulnerability with a patch readily available that was not applied, leaving millions of customers at risk. The fix was available for the Apache Struts vulnerability used in this attack for two months before Equifax was breached. Cyber-criminals don't need to waste a precious and rare zero-day exploit when they can easily get into your network using a known exploit of an unpatched vulnerability.
“This should be a wakeup call for organisations of all sizes, across all industries. Knowing what systems your business relies on, and keeping those systems up to date and protected from exploitation isn't a theoretical best practice -- it frequently makes the difference between stopping an attack and a massive breach.”
For Dan Panesar, VP EMEA, Certes Networks the failures in the current security model show why a breach like this further highlights why it is crucial for organisations in the financial sector to change their mindset before their technology
He commented, “The latest Equifax security breach in its Argentine operations further highlights the industry's outdated approach to cyber-security. The financial services industry is a high profile goldmines for hackers, so why are organisations still exposing their – and their customers' data – to risk through basic security protocol lapses.
“It's not just a case of using more complex login and password details - though the simplicity in this caseis arguably negligent; it's a case of changing current security models that place so much emphasis on application based security.
“The problem is that rather than looking to innovation as a way to address the problem, the cyber security industry as a whole continues to deploy the same protection methods and technology, yet expects a different result - a cycle of insanity.
“Mindset must change before technology. Current solutions are flawed and follow an outdated approach to security. Companies must change to a Zero Trust security posture so that when updating their technology, it follows a new, innovative mindset, rather than continuing the insanity cycle with the next generation of flawed technology.”