According to the official statement from Equifax yesterday afternoon, "criminals exploited a U.S. website application vulnerability" in order to access records of some 143 million people (mostly Americans with some victims from the UK and Canada). With the current U.S. population at approximately 325 million, we're talking about the equivalent of 44 percent of the country.
Not only is the sheer volume of victims impressive, but Equifax estimates that the unauthorized access started in Mid-May and continued through the end of July, when the breach was finally discovered. That gave the criminals a lot of time to pull our personal records, all the while remaining undetected.
After major events like this the question is often asked, "In a world where we're hyper aware of the risks and dangers of cyber crime, how did this happen?" Our answer? It shouldn't happen.
Yes, cybersecurity is complicated. There are many components that go into information security: firewalls, anti-virus, endpoint security, encryption—the list goes on and on. Taking only one or some of these security measures won't provide complete protection; instead companies need a security program that covers all potential security gaps. And a crucial component to any complete security program is vulnerability management.
The importance of vulnerability management is clearer than ever today, considering that this breach was reportedly caused by an exploited vulnerability within an Equifax web app. We know that most major vulnerabilities are discovered and published in the National Vulnerabiltiy Database before they're exploited, but since they have yet to identify the specific vulnerability we can't yet confirm that this one was known. But, in our experience—most recently with the vulnerabilities exploited with WannaCry and Petya ransomware—the vulnerability was likely identified and had an available fix before it was exploited (or, at the very least, before the breach was finally discovered in July).
So, yes, this breach likely could have been prevented with the right vulnerability management tool. IGI's vulnerability management solution, Nodeware, is specifically designed to prevent this type of breach from happening. Because Nodeware performs both continuous internal scanning and on-demand external scanning for websites, web applications, and external IPs users have a 360-degree view of all their vulnerabilities. All vulnerabilities are reported in real time on the Nodeware Manager dashboard and users can opt in for notifications of critical vulnerabilities, taking the guesswork out of managing and fixing vulnerabilities. By keeping up with alerts for critical vulnerabilities, and quickly accessing the link to fix them through Nodeware, companies can avoid joining the list of the worst data breaches in history and, most importantly, keep their customers' data safe.
I'm sure that new information about this breach and the exploited vulnerability will come out in the coming days or weeks, after which we can discover if and when this vulnerability was known (and if our intuition was correct).
In the meantime, we advise taking a few moments to see if you've been impacted by the breach and to sign up for the free identity protection through Equifax.
If you're a business without a vulnerability management solution in place, purchase Nodeware through one of our partners today. If you're an MSP, MSSP, or reseller that is looking to expand their cyberscurity offerings, now is the time.