Equifax and the Swedish government become the latest high-profile data breach victims
We delve past the attention grabbing headlines ("143 million customers affected") to identify some important lessons.
02 October 2017
On 9 September, credit report giant Equifax revealed that hackers had accessed the personal data (including social security numbers, birth dates and addresses) of over 100 million of its customers. Not only did Equifax's Chief Information Officer and Chief Security Officer both retire in the days immediately following the attack, but Chairman and CEO Richard Smith also later resigned after facing heavy public criticism over how Equifax had responded to the breach. Shares in the company have dropped 27%.
This comes just weeks after the Swedish government was plunged into political crisis by a huge breach of confidential data, involving the possible disclosure of details regarding undercover operatives and military planning. Described by one official as "like handing over the keys to the kingdom", the terms of one of their outsourcing arrangements resulted in foreign nationals without proper security clearance having access to highly sensitive and confidential information. At the time of writing, the scandal has claimed the jobs of both Infrastructure Minister Anna Johansson and Interior Minister Anders Ygeman. Prime Minister Stefan Lofven has survived a vote of no confidence, but it remains to be seen if he will be held to account by voters in next September's election.
Spotlight shifts to response
In the case of both Equifax and the Swedish government, media attention has of course focussed on the circumstances of the breach itself. There has been much press coverage of the fact that, for example, the outsourcing agreement entered into by Sweden's transport agency failed to include various key privacy and security safeguards. However, these incidents serve as further proof that, as well as the root cause, the manner and adequacy of a victim's response to a cyber-attack will also ultimately come under the spotlight.
In Sweden, the timeline of events has been probed. It has been reported that the incident occurred as long ago as 2015. The Prime Minister learned of the breach in January, while the interior and defence ministers knew 18 months ago. The government is now under pressure to explain why it did not inform the public earlier, and why its response only appears – from the outside – to have come after a series of articles were published in Dagens Nyheter, a Swedish newspaper.
The facts are clearer when we come to Equifax, which is facing dozens of legal claims, government-led criminal investigations and congressional hearings. People have questioned why Equifax waited over a month before publically disclosing knowledge of the breach, or how three executives were able to sell shares worth $1.8 million just days after the breach was identified internally.
What can you do?
As the above suggests, mitigating risk is not just a question of implementing the best available technical security measures. From knowing regulatory notification requirements and having key communications pre-drafted so they can be quickly disseminated across business units, to understanding legal privilege implications and assessing liability gaps in supply chains, being cyber ready is now far more pervasive. Whether it is augmenting existing policies and procedures and reviewing specific arrangements with material suppliers, or developing end-to-end global incident response plans, the objective remains the same: when a cyber event does occur, how can your business ensure that their response is coordinated and managed in the correct way from the point of impact onwards.