Personal Identifiable Information Exposed: Equifax
“The data breach is one of the worst ever, by its reach and by the kind of information exposed to the public.” – CNN Tech
“Equifax will not be defined by this incident, rather by how we respond.” – Rick Smith, Chairman, and CEO of Equifax
“While this kind of security breach is becoming more common, it is important to understand that there are measures organizations can take to protect personal identifiable information.” – Christine Kruze, AOTMP’s Subscription Services Manager
Equifax was breached in a major way between Mid-May and June 29th. Originally Equifax stated that Personal Identifiable Information and credit card information, commonly known as PII, was exposed for potentially 143 million people. Credit card numbers for about 209,000 U.S. customers and PII for roughly 182,000 U.S. customers involved in credit report disputes as well as impacting residents in the U.K. and Canada Equifax said.
Since the original statement, Equifax released on Oct 2, 2017, that this affected 2.5 million more people, bringing the total amount affected to 145.5 million. They also updated their preliminary numbers by stating in the release that “The completed review subsequently determined that personal information [PII] of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian.”
What is PII and why does your organization need to be concerned about it? As AOTMP defines it, PII is any data or information that can identify a person or individual such as Date of Birth, SSN (including last 4 as standalone), credit card numbers, and driver’s license numbers, which all of these were exposed during this breach.
So, what happened? Equifax is reporting that it was a website vulnerability. AOTMP has recommendations on how to be proactive to ensure measures are in place to protect an organization from these types of breaches. AOTMP recommends that organizations maintain processes, procedures, and policies to mitigate risks associated with security breaches.
For starters, ensure the Telecom Security Policy is clear so that customers understand how your organization intends to protect their information and follow regulations to keep their information safe. Then, top that off by making the organization’s Security Policy available and acknowledgeable. A security policy ensures that information is secure. An organization runs, lives and breathes on information. Information Security is an organization’s data and information. This includes the work, groups, individuals, and systems that collect, process and store the data and information. Information Security is very important to telecom business objectives as well as overall business objectives as it protects business assets as well as intellectual property.
The Telecom Security Plan should be audited annually and when a major breach occurs, or at least have a discussion about the breach to ensure that the organization itself is not vulnerable to an attack. During the phases of a telecom security plan audit, you will review the aspects of evaluating strategy and governance as well as validating compliance monitoring. You will also understand the importance of reviewing previous security risk management information, evaluating security management roles, validating the effectiveness of the training awareness, validating system configurations to ensure they align with regulations, governance, and business requirements.
“The Equifax data breach shows organizations still have a long way to go when it comes to data security. Organizations should perform security threat assessments annually to keep up with the constant threats that are out there today.” – Scott Lawrence, AOTMP’s Vice President & Sr. Research Analyst
A Security Assessment is essential to creating a security plan. Knowing what security challenges exist, or requirements an organization needs, ensures the most secure configurations are in place. It is important to first understand and identify what needs protected and the level of protection needed based on the categorization of criticality, what needs protected and to what extent to protect it, and a monitoring system on the network and systems that identify situations that could cause or are attempting to cause loss. Once the threats are identified or detected, have a proper, planned response in place. Knowing who performs what recovery process and the response times is crucial to bringing all affected systems back to their normal operating status. This process should be performed on an annual basis. It could also be beneficial to perform a smaller scale threat assessment when a major breach occurs.