The United States Federal Trade Commission (FTC) announced earlier this month that Equifax has agreed to pay up to $700 Million USD in fines and monetary relief to consumers over the company’s 2017 mega data breach:
- $300 million to compensate affected consumers who bought credit-monitoring services (and an additional $125 million if that isn’t enough)
- $175 million to state and districts
- $100 million to the Consumer Financial Protection Bureau in civil penalties
Does the Equifax Settlement Go Far Enough?
Reactions to the news are mixed. Equifax is satisfied, calling the proposed settlement “a positive step for consumers.”
FTC Chairman Joe Simons said, “this settlement requires that the company take steps to improve its data security.” Those steps include the implementation of a comprehensive information security program at Equifax, albeit after-the-fact. The reality that Equifax had such poor security controls in the first place is irksome. The breach never should have happened.
The root cause of the data breach was an IT security hygiene issue where Equifax did not have up-to-date patching for the Apache Strut vulnerability, which had been identified and released months before. Equifax was, in fact, two cycles behind. There were other controls that failed as well. Because of that, criminals were able to manipulate and then exfiltrate a great deal of critical data.
Ed Mierzwinski, Federal Consumer Program Director of the U.S. Public Interest Research Group is not happy with the settlement. “Equifax appears to have made a calculated decision that losing the Social Security Numbers and birth dates of some 148 million consumers to identity thieves was worth only about $700 million or a little less. The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data.”
He went on to say, “Failure to protect privacy has a real harm; we think Equifax should have paid real money, not ‘just go-away’ money, and promised real changes to its sloppy last-century practices.”
Similarly displeased are two states who refuse to participate in the proposed settlement, Indiana and Massachusetts. “Equifax must pay a penalty commensurate with the worst data breach in American history, which compromised the private information of more than three million Massachusetts residents,” says Maura Healey, the Massachusetts attorney general. “Our litigation is ongoing.”
Penalties is the New Black
Equifax isn’t alone in being handed a hefty fine this month. We also heard from the following organizations:
- Facebook is paying a record $5 Billion USD over privacy violations
- British Airways faces a record fine of £183 Million for last year’s breach of its security systems
- Marriott faces $123 Million GDPR fine for 2018 security breach
With EU General Data Protection Regulation (GDPR) now in full force, it seems like we are just starting to see the financial fallout of recent data breaches.
Is this what we can expect from failed corporate information security programs going forward – fines? Fines don’t fix security holes. However, the fear of paying such fines will hopefully incent corporations to proactively implement best-in-class cyber security programs ASAP.
A Paradigm Shift in Security Priorities
If an enterprise has a reasonable patch management program in place, that will initially protect them against the Equifax type of attack. But that’s not enough. The real implication for all enterprises is the concern over enabling more consumer data to get into the hands of criminals through exchanges on the dark web. That has a significant impact on the viability of login IDs and passwords, simply by hackers using either the password reset process, or the account registration process using the demographic and attribute information they’ve harvested to bypass those controls. A new authentication method is needed now.
Innovations of Data Science and Behavioral Attributes
Organizations need to move beyond passwords for their consumers, to something we call risk based authentication. This model-driven security engages an ongoing process throughout the consumer’s interaction, whether it’s over the web, or for mobile applications. It uses benign behavioral attributes represented in a mathematical model. The actual behavior is compared in real time against those models, and a risk score is generated. That risk score tells the application how much access to permit throughout the interaction by the user with the application.
Strengthening the Objective of Moving at Customer Speed
The beauty of this method is that it virtually eliminates friction for the consumer, because they don’t have to remember passwords. The reality is people have trouble remembering passwords. They use passwords for hundreds of websites and mobile applications. They reuse similar passwords time and time again. That leads to credential stuffing where criminals try out different passwords in different domains, and get a hit 3% percent of the time. That means the threat actors take over the consumer’s account. Passwords and binary authentication tools are essentially reaching end-of-life. What’s necessary is more of a continuous authentication model, based on algorithms that deliver that capability.
The Potential for A New Standard in Security Models
Gurucul can use 30 to 60 different attributes for an individual via a mobile application, or a web application, to calculate, throughout the entire interaction, whether that’s the legitimate user matching the identity, or not. Risk based authentication is a better security model than what has been in use up to this point, and it’s actually less effort in terms of friction for the end user. We believe we’re going to see enterprises implementing this aspect of model-driven security more and more going forward.
To learn more about how our customers use model-driven security, watch this webinar on demand featuring the CISO of Aetna, Kurt Lieber: Automating Security Controls Using Models and Security Orchestration.