Equifax, a major credit reporting company, suffered a large scale security breach in early September of this year. The number of people whose confidential information was potentially compromised was in the hundreds of millions. In the wake of this news, Cyber Security Professionals work to understand the causes of the breach while Government Officials seek to prevent similar instances in the future. Here at Libra IT we are working closely with our clients to identify and secure their computers and networks.
The Security Professional’s Want To Know How
Cyber Security Professionals like Morey Haber suggest that “organizations are more likely to be targeted if they can’t maintain PCI DSS standards on a quarterly basis” as noted in this BeyondTrust article. The Payment Card Industry Security Standards Council (PCI SSC) created the PCI DDS, or Payment Card Industry Data Security Standard. These standards help safeguard merchant's from encroachment of an unauthorized source and the endangering of account data. Non-compliance to these standards can result in fines, fees, and penalties, along with losing the ability to process cards. Not to mention the potential litigation risk from affected banks, card networks and individuals.
The number one question obviously was; Did Equifax adhere strictly to the DSS? What Haber and other Security Professionals want to know, are; “was this a zero day exploit? If they were PCI DSS compliant and performing FIM (File Integrity Monitoring), was this how they discovered the breach? If not, how did Equifax determine the breach, and were the systems in question within PCI Scope?”
Brandon Gilmore in an article from Technically Speaking brings up the dangers of using Social Security Numbers as Primary Keys using (RDBMS) Relational Database Management Systems, what most modern Databases are. He reports that “agencies have implemented extensive remediation initiatives to remove SSNs as the prime key, but SSNs continue to be collected and stored without a thorough understanding of the business requirements of that data.” In other words, will a future data security standard require the use of a generated primary key and is it feasible to stop collecting them for client data storage?
What this may mean for Cyber-law
In a recent article from The Hill, Financial Services Committee Chairman Jeb Hensarling indicated that the committee would hold a hearing on the Equifax incident, he said that such attacks are “too common” and that consumers “deserve answers.” The article also reports Equifax critics’ outcry on social media at their terms of service, which many confused to include an arbitration clause forcing users of its products to waive their right to sue. Sen. Elizabeth Warren, in a series of tweets, called into question Equifax’s terms of service while praising a new rule by the Consumer Financial Protection Bureau that would ban clauses of this kind. The new rule touts it will restore the ability of groups of people to file or join group lawsuits and in some cases, not only will companies have to provide relief, they will also have to modify their policies moving forward. However, this article reports the new CFPB rule, under the Congressional Rule Act, was voted down by the House Of Representatives nearly two weeks after being finalized in July of this year. Time Magazine’s Money outlines Equifax’s anti-arbitration clause maintaining that the arbitration clause in question was actually part of the terms of service for TrusteID Premier a service Equifax offered its clients looking for protection following the data breach.
It is clear that major security breaches like this one bring up questions on both fronts of “how did this happen?” and “how do we prevent it from happening again?” The future Cyber Security landscape will be marked with events like these and it is on the establishment to not only be aware of the landscape but also to comply to it.