With GDPR looming, Equifax data breach is especially troubling
The recently-revealed Equifax data breach impacts 143 million people, and with the General Data Protection Regulation set to take effect in only seven months, this is not good news.
The theft and or compromising of vital information is becoming a fairly common phenomenon. This tends to be a two-pronged issue, there are threats from outside the company and there are also rogue actors lurking within the organization’s firewalls.
Companies such as Equifax that store PII (personally identifiable information) find themselves especially susceptible to attacks.
While most organizations like Equifax have hardened their perimeter and put in infrastructure-centric measures to thwart hackers from the outside, to date, little has been done to effectively inventory, secure, manage and dispose of data/information in the enterprise. In Equifax’s case, hackers were able to compromise and penetrate a webserver and web application to abscond the data.
Specifically, a Zero-Day vulnerability related to Struts2 that was made public last week. In addition to the first Zero Day, more severe Zero Day exploits appeared late last week. These exploits leave web applications vulnerable to remote execution of code and create a conduit for direct access to data stores (in Equifax's case the data store was PII for 143 million people).
It is self-evident that we live in a global economy and the threats are both exponential and global. With the advent of outsourcing and offshoring, data theft/data compromise are existing risks that organizations must mitigate against. The challenges they face relate to the increasing amount of data (the 3Vs – Volume, Variety and Velocity) that proliferate across systems across the globe.
Additionally, this hack also contained personally identifying information of European and Canadian Citizens. When GDPR comes into effect in May 2018, organizations such as Equifax face fines of 4 percent of annual revenues as a consequence of breaches such as this adding to both the cost and risk of contending with the breach.
In my view, companies must adopt good information management practices along with modern technologies and platforms to effectively thwart bad actors. The way to achieve that is to identify, inventory, curate and manage sensitive data through its lifecycle using modern, open platforms.