By now, the sheer scale of the Equifax data breach should send shivers down the collective spines of business leaders and consumers alike. An astounding 143 million Americans’ most sensitive data, including social security numbers, credit card numbers, driver’s license numbers, dates of birth, and bank account details have been compromised by a massive security breach which first came to light in August of this year, even though the breach occurred much earlier. The breach is now one of the largest exposures of private data in United States history. One in three Americans has likely had their most sensitive data compromised.
The Equifax breach adds yet another high-profile data breach to the series of breaches to hit the news this year. Deloitte, one of the “big four” accounting firms compromised “blue-chip client’s” personal data by failing to secure internal emails; Whole Foods, recently acquired by Amazon, announced a breach within the last week at some of its stores which will affect customer debit and credit card information; Neiman Marcus continues to struggle with data beaches despite having settled a $1.6 million class-action lawsuit in 2015. These high profile breaches are frequently covered by the media with the intention of alerting consumers: but what should businesses learn from these incidents?
As details emerge from the Equifax breach, one thing has become clear: this breach and the tremendous liability it has created for Equifax and its shareholders had a deviously simple origin – the failure to “patch” essential software. According to Equifax, hackers exploited a web application vulnerability in Apache Struts, which has had a history of security issues. Struts is an open-source code base that provides a framework for developing web applications quickly without the need for developers to delve into time draining details. Equifax used Struts to build its websites, and Struts, like nearly all software, requires patches to update security protocols. Struts announced a software patch to fix a defect on March 8, 2017 and, despite the announcement, Equifax’s system remained vulnerable because the patch wasn’t applied. On Monday October 2, in portions of the written testimony to be provided to the House Committee by former Equifax CEO Richard Smith, Smith admits that the breach was due to neglecting to patch this vulnerability known to Equifax as early as March 9, 2017.
Broadly, a “patch” is an updated or additional software module or a supporting data that adds functionality, improves performance, changes the user interface, corrects security shortfalls, or supports new hardware. Patches specifically in the security context often fix defects identified by others which can be exploited by outside actors to gain access, view data, inject viruses, or perform other nefarious acts. In Equifax’s case, the Struts defect allowed outside users to gain elevated access to Equifax’s online disputes portal through vulnerabilities in the web forms built with the Struts framework. Equifax’s online disputes portal allowed consumers to dispute errors in their personal credit reports and thus contained a broad range of highly sensitive information. Equifax’s failure to patch the Struts’ defect allowed outside access to highly sensitive data. This outside access went undetected by Equifax’s existing operation security for months.
Equifax is the largest, though no longer the latest, in a string of high-profile data breaches caused by companies’ failure to properly patch software vulnerabilities in a timely fashion, which of course means immediately. According to a study released in March 2017 by research firm Voke Media, 80% of companies that suffered a breach or failed a security audit did so because of a failure to patch or reconfigure basic software defects. Many of these same companies which suffered a breach took longer than 10 days to apply patches—leaving them vulnerable to exploitation by outside actors for more than 10 days because most vulnerabilities exist before they become known and assessed.
High profile breaches appear almost weekly, and many businesses should be assessing their approaches to operation security in order to prevent the substantial risk presented by data breaches. Experts in the field note that patching can be a relatively simple security step but one that requires constant vigilance and rapid action, especially since the result of rapid patch application prevents enormous downstream costs to both clients and the organization.
The following are some best practices to ensure software patches and updates do not become the source of liability, costly responses, and embarrassment for your company:
- For Businesses that use Windows, all machines (including laptops) should have automatic updates enabled. Ensuring updates occur automatically prevents the substantial risk which delays of even a few hours can cause to data security.
- For IOS and OS X users, Apple’s notifications that updates are available are conspicuous and recurring. All employees or people with access to company files or email access should update immediately.
- For enterprise software, Patch Management Systems such as SolarWinds and GFI LanGuard can help manage patches and software vulnerabilities at a more detailed and centralized level. Many more Patch Management solutions exist, including Microsoft’s System Center Configuration Manager; however, an update and patch management system should be selected that matches the scale and data risks of your organization.
- Designate an individual to monitor update and patch releases and then to ensure all are installed. Make sure this individual has a backup because even a delay of one day can result in serious exposure for the company.
- As always, keep communication with employees on software and security open and frequent. All employees should be aware of your organizations best practices when it comes to software updates and patches.
Prevent your business from becoming the next headline. Use the recent data breach examples as a way to highlight and analyze the business costs and benefits to consider for enterprises who acquire and hold personal information of consumers. Now more than ever, businesses are recognizing the incentives to increase their budget and efforts toward securing personal information. If you are interested in discussing how Michael Best can assist your business in privacy and data security needs please contact your Michael Best attorney, or members of the Michael Best Privacy & Data Security Team.