As we near the second anniversary of the largest data breach in history, ghosts from Equifax’s past continue to haunt the credit-reporting giant in the form of top-dollar fines. The news surfaced over the past weekend, and has been making waves ever since – Equifax might pay a whopping grand total of nearly a billion dollars in restitution to the citizens who had personal sensitive information exposed, with a small chunk of that amount taking the form of fines and fees. The agreement, which includes the US Federal Trade Commission and the Consumer Financial Protection Bureau, will bring nearly two years of investigations and lawsuits to an end.
For those who are out of the loop, here’s a little background. Equifax is one of the ‘big three’ credit reporting agencies (CRAs) in the US, alongside TransUnion and Experian PLC. Responsible for keeping tabs on citizens’ credit histories, CRAs possess massive visibility into personal financial information, including social security numbers and addresses. In this particular incident, hackers leveraged vulnerabilities in Equifax’s network to conceal themselves within innocuous encrypted traffic and exfiltrate data belonging to a collective 148 million American citizens.
And this continued undetected for a disturbingly long time – 76 days, to be precise, before security experts zeroed in on the weak link and patched it up.
Further investigation revealed that Equifax did have systems in place to detect breaches such as this one, except for one little problem – that system had been offline for nearly ten months prior to the breach due its digital certificate having expired and been left unrenewed.
It’s interesting to note how one expired certificate, which tops out at a few thousand dollars to renew, played havoc with Equifax as an entity and a brand. The obvious effects include reimbursements to customers, federal and state lawsuits, compliance fines, and fees charged by investigating or auditing agencies. Of course, the hidden costs might dwarf even the financial ones, carrying with them the stigma of irreparable brand damage and stock prices being slashed within mere hours of the announcement.
This incident served as an eye-opener to nearly every organization in the world to step up their cyber security, and more importantly, their PKI (public key infrastructure management systems). Digital certificates, which serve as virtual identities of both hardware and software entities that are connected to the internet, can make or break a network system, simply by its virtue of rendering systems online and safe to other entities that wish to communicate with it. Of course, there’s a handy excuse to cover up potential slip-ups: how can a large organization with millions of certificates across multiple geographies possibly manage all of them, and ensure that each one is active and online at any given time?
There’s an answer to combat that excuse – Automation. Certificate Lifecycle Automation is an up-and-coming industry which promises to single-handedly resolve every certificate-related concern a firm might have: from inventorizing, to securing, and automatically renewing certificates across the board, they do it all.
Take Equifax’s case, for example. They most certainly would not have avoided the breach with such a tool in place, but could have, at the least, detected it as soon as it happened, exponentially reducing the number of victims (and the corresponding fines, too).
You can read more about certificate management, here.
Don’t forget to check out AppViewX CERT+, our comprehensive certificate lifecycle management and automation system.