Equifax issued a press release yesterday afternoon (Equifax press release, September 7) confirming a breach affecting approximately 143 million US consumers, plus an unspecified number of UK and Canadian consumers — the UK figure has, in subsequent statements, been revised to "up to 400,000". The information taken includes names, Social Security numbers, dates of birth, addresses, and in some cases driver's licence numbers. Approximately 209,000 US consumers also had credit-card numbers exposed, and approximately 182,000 had dispute documents containing personal information exposed. The breach, on Equifax's account, was discovered on the 29th of July and the exposure window is described as "mid-May through July 2017". The technical vector confirmed by Equifax in subsequent disclosures is CVE-2017-5638 — the Apache Struts S2-045 vulnerability that I wrote about back in March.
That detail is the operational story. The CVE was disclosed and patched on the 7th of March. Mass exploitation was active within hours. We patched the customer estate by the 10th. Equifax's exposure window started in mid-May, around two months after the disclosure, against an unpatched Struts deployment. The operational question — the one the Equifax board, the regulators, and Congress are going to spend the next year on — is why Equifax had a public-facing Struts deployment that was unpatched two months after a publicly-known, mass-exploited critical CVE. The answer is going to be some combination of insufficient asset inventory (Equifax did not know they had Struts in that location), insufficient patching cadence (the patching schedule did not prioritise the application that was running it), and insufficient operational ownership of the affected service. Whichever combination is the actual answer, the structural picture is bad enough that the company's CEO, CIO, and CSO are all in process of departing, and the regulatory and class-action exposure is, on first estimation, the largest of any single-incident breach in US consumer data history.
For the personal-data-protection conversation, the Equifax incident is qualitatively different from the consumer-internet breaches I have been writing about over the past two years. Equifax is a credit bureau. The data they hold is not data the affected consumers chose to share with them; it is data the credit-bureau industry collected from third parties (banks, employers, public records) without per-consumer consent in any meaningful sense. The breach therefore exposes consumers who have no relationship with Equifax, who did not opt into the company's data holdings, and who have no straightforward route to demand removal. The structural critique of the credit-bureau business model — that it concentrates the most sensitive identifying information about the entire economically-active US population into three private companies with limited regulatory oversight and no consumer-side opt-out — has been articulated by privacy advocates for many years; this incident makes the critique unavoidable.
The operational implications for our customer estates are mostly secondary. None of our vCISO clients are credit bureaux. The portfolio's exposure to the Equifax data is through their own customers and employees whose Equifax records have been compromised, and the relevant action items are around credit-monitoring offerings, identity-theft guidance for the affected populations, and review of any customer-organisation processes that depend on credit-bureau data integrity. The latter is the more interesting category — several customers use Equifax-or-comparable bureau data as a component of fraud-detection and customer-onboarding decisions, and the integrity question of "is the Equifax record we are checking actually accurate" becomes, in the post-breach environment, more loaded. The probability of synthetic-identity fraud against credit-bureau data goes up substantially in the wake of an incident of this scale.
For the GDPR readiness conversation, the Equifax incident is a useful inflection point. The UK exposure — up to 400,000 UK consumers — would, under GDPR (which applies from May 2018 in eight months' time), produce a notification obligation on a 72-hour timeline, individual-level notifications for high-risk affected populations, and potential fines tied to global revenue. The actual disclosure timeline on Equifax has been: discovered 29 July, disclosed 7 September. Six weeks. Under GDPR that timeline would be facially non-compliant unless Equifax could demonstrate operational impossibility of faster disclosure. The Article 29 Working Party guidance on breach notification (Article 29 WP guidelines on personal data breach notification, October 2017 — currently in consultation) will set the interpretive frame. The customer organisations I am briefing this autumn are using the Equifax case, with discomfort, as a worked example of what they want to avoid.
I will be writing the longer piece on the credit-bureau industry's structural posture once the Equifax investigation has produced more public detail. The political consequences in the US are going to be substantial — there is already serious congressional interest in legislative reform of the credit-bureau industry (Senate Banking Committee hearing announcement), and the regulatory environment after this is unlikely to look like the pre-incident environment. The wider lesson — that the long tail of unpatched vulnerable software in operational deployment continues to produce headline-grade incidents two months and more after disclosure — is the same lesson WannaCry produced about Windows patching, and the same lesson Heartbleed produced in 2014. The lesson is being delivered to organisations who, somehow, continue to need to be told.
The customer briefings this week are unusual in their tone. The customers are, on the whole, more directly engaged with the incident than they have been with several of the larger 2016 events, because the consumer-impact dimension is so personal. Several customers have, this week, raised the question of their own personal Equifax exposure with me directly. The advice — credit freeze, monitor accounts, prepare for years of secondary fraud — is the same advice every US consumer has received this week, and it is the right advice, and it is also entirely unsatisfactory as a response to the structural fact of the breach.