By Megan Gates
Hackers backed by the Chinese military breached consumer credit reporting agency Equifax in 2017, carrying out what was then known as the largest theft of personally identifiable information (PII) ever committed by state-sponsored actors.
The hackers were able to obtain addresses, birth dates, Social Security numbers, and other data on approximately 145 million Americans, as well as individuals from Canada and the United Kingdom. A subsequent investigation by the Federal Trade Commission (FTC) revealed that Equifax [had] failed to secure the PII stored on its network, which made it easier for the hackers to gain access to their systems.
One of the reasons the hackers were able to get so much data off Equifax’s network was because of a “failure in security controls,” said Jake Williams, director of cyber threat intelligence at SCYTHE, in his keynote address at GSX 2022.
“They had security controls in place. They broke down on process…and that killed their technology,” Williams explained, adding that Equifax’s systems were not configured properly due to a process failure that did not renew its certificates.
And that process failure, followed by the data breach, led to Equifax settling with the FTC for $575 million—potentially up to $700 million—along with compensating consumers who bought credit or identity monitoring services from Equifax or other third parties because of the incident. The FBI also issued indictments, charging four Chinese military-backed hackers in connection with the attack.
While the Equifax breach was a unique incident with high-stakes players, the lack of security control validation is an all-too-common issue. Williams walked attendees through why security controls matter, the importance of validating security control efficacy, and guidance on how to initiate this process within your own organization.
You can read the rest of this article from Security Management here.
For more Security Management content about security controls, check out these articles: