Asking bankers to comment on the Equifax data breach generally evokes a cone of silence forged out of a combination of sympathy and fear — I’m not going to speak about it because it could happen to me.
“Even if you’re really good, stuff can happen,” the chief information officer of a large financial services organization said privately. “I don’t want to throw stones because I also live in a glass house.”
A few, though, will acknowledge the toll the breach has taken on their customers and their security departments, which have scrambled to ensure they won’t share (or haven’t shared) Equifax’s fate.
“I double-checked that we had that security flaw patched, and we did,” the CIO said, referring to a vulnerability in the Apache Struts web application framework that, according to a press release Equifax issued Friday, hackers exploited to break into the company’s servers and compromise 143 million customer records. Equifax uses the Adobe framework in its U.S. online dispute portal.
Another banker, Jim Hanlon, the chief technology officer at Dedham Savings Bank in Boston, was astounded that Equifax did not catch its breach more quickly.
“We have 60,000 customers,” he said. “If somebody came into our network and was looking at 100 files, that would raise a flag with us. If somebody’s accessing millions of records, how is something not alerting them to that fact? That’s the concerning piece to me. The documentation said they take network security seriously. But there should have been a red flag somewhere.”
Equifax's security team detected and blocked suspicious network traffic associated with its U.S. online dispute portal web application on July 29. But the company's investigation found that hackers had access to certain files containing personal information from May 13 through July 30.
For banks, the Equifax breach has provided a painful lesson in damage control.
“Our customers have been calling us, asking about the Equifax hack,” Hanlon said. “It’s something that’s at the forefront of our thought process right now.”
Immediately after the Equifax breach, Central National Bank in Enid, Okla., sent a letter to customers letting them know their personal data may have been compromised in the breach.
“Communication is key,” said Mark Sumby, the bank’s senior vice president.
The bank also recommended that affected customers ask for a credit freeze across all three credit bureaus.
“Because now [the criminals] have all that data on you,” he said.
Equifax has agreed to waive fees for removing and placing security freezes through Nov. 21.
Stepping up security
Security upgrades are, of course, inevitable.
“The obvious answer to all of this is, encrypt the freaking data,” Steve Ely, CEO of the alternative credit data provider eCredable, said in a session at the PayThink conference on Monday. “Then we're not having this conversation.”
Banks “do a pretty darn good job at fraud prevention” already, he said, but the Equifax breach might speed up impending security projects.
“Where a bank might have said no, we'll put off that project till next year, now they might go, let's go ahead and do that project now,” Ely said. “Their directors are going to say to them, what are you doing about security? This illuminated to so many people how big this is, so now it's on their radar, they're thinking, we don't want this to happen to us, too. Let's make sure we invest more quickly.”
Michael Failor, head of portfolio analytics at the online lender Enova, suggested half-jokingly that now might be a good time to invest in security companies.
“Because Equifax is in this area of collecting consumer data and holding on to it, they have had a big target on their head,” he said. “But [industrywide] it's happened six or seven times, and it could happen to any large company that collects a lot of data.” A recent IBM report found that more than 200 million financial services records were breached in 2016, a 937% increase from 2015.
Dedham’s Hanlon said that banks, like everyone else, have to assume they are going to be breached through some type of malware or hacking technique and act accordingly.
“You’re going to have somebody that gains access to your network,” Hanlon said. “So how do I limit the damage that could potentially be done?”
Most financial institutions over the years have done a good job of building fences at the perimeter and investing a lot of money in security tools like intrusion detection and intrusion prevention systems and firewalls, he said, but they haven’t done enough to monitor what happens when someone breaks in.
Dedham uses software from Varonis that identifies where customer data and other critical information is stored and monitors all access to that data.
“Being a financial institution, we know we’ve got everybody’s life story, especially if you apply for a mortgage: You have tax returns in there, you have credit reports, you’ve got soup to nuts,” Hanlon said. “So how do we protect those files, or make sure that whoever is accessing those files are only the people that should access the file?”
The Varonis software reports on who has accessed sensitive files and when, and it sends alerts about any unusual behavior.
Dedham has put a special watch on the accounts of customers who say they are victims of the Equifax breach. For some, it’s issuing new debit cards or creating new accounts.
“Depending on the level of anxiety with the customer, there are different scripts we follow to not only ease the consumer’s mind but monitor that activity,” Hanlon said.
The Varonis software provides alerts if someone tries to view a large number of files, or zips or encrypts files. Only the information technology department is supposed to be encrypting files at the bank.
“When user behavior is nontypical, we get alerts,” Hanlon said. There are also alerts whenever files or directories containing sensitive data are accessed.
Security training is also important, Hanlon said.
“We do social engineering on a regular basis where we hire firms to come in and try to game customer information. That’s an important part of this, and it gives employees an awareness of what people will try to do,” he said. “It’s a joint effort that includes having a knowledgeable workforce, keeping up the training, as well as putting in best-of-breed tools to assist with the process.”
Bankers are hopeful Equifax uses the negative experience to make itself a security leader, sparing no expense on third-party security reviews and internal reforms.
“Here's what's ironic,” Ely said. “This is such a wake-up call for Equifax, that a year from now, if you're a big bank, you won't want to do business with anybody else. They'll have the best security on the planet.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.