The massive Equifax hack put 143 million consumer names, Social Security numbers, birth dates, and addresses in the hands of cyber attackers. An unknown number of drivers’ licenses and credit card numbers were also compromised. This is the latest in a long line of data breaches victimizing the customers of organizations like Target, Home Depot, the Office of Personnel Management, Anthem Medicare, and many others. Tens of millions of personal information records stolen.
IT groups are implementing data security practices like network segmenting and multi-factor authentication to mitigate the damage wreaked by a successful data breach, but there is a huge amount of work to be done in order to put the Era of the Massive Data Hack behind us.
More robust data encryption is big step that should be taken wherever practical to change the game. World-class encryption technology can help create a new normal in which even if attackers access information they can’t do anything with it. But in a world that takes years to roll out technologies like chip-and-pin credit cards, every stakeholder must make a serious commitment for this to happen.
According to Equifax’s web site, all Equifax Information must be encrypted as it is transmitted over the Internet. A minimum of 128-bit key encryption is required. Equifax Information must also be protected when stored on servers separated from the Internet by firewalls and inaccessible by TCP services directly. Equifax secure authentication and passwords are to be changed at least every 90 days and security-specific system patches are to be kept current. The Equifax hack via the Apache Struts web-application software occurred in May, two months after a patch had been made available. As Wired put it, this was a “known flaw with a ready fix.” After breaking in, the hackers gained access to unprotected data immediately, and may have worked through May, June, and July to get greater access. Alex McGeorge of the security firm Immunity asserts that hackers could have found credentials or other information in plaintext right away if Equifax didn’t have proper protections in place.
As Lily Hay Newman points out in another Wired piece, with the right setup a breach doesn’t have to be catastrophic, but without it the effects really are dramatic. An investigation into Equifax is being launched by the Federal Trade Commission that may be augmented by others from the Securities and Exchange Commission and the Consumer Financial Protection Bureau.
Cyphre customers know that hardware-based encryption has a crucial role to play in achieving sustainable impregnability against devastating data hacks. The biggest threat to cloud data at rest and in transit is the period when security keys are memory resident on the host server. Cyphre’s patent pending BlackTIE® technology augments vulnerable single encryption keys with hardware-encrypted Black Keys to render hijacked keys useless, thus nullifying the threat. Chip-resident Black Keys are completely isolated from hacker exposure.
Should the IT world embrace a heightened level of data security as a right guaranteed to all those whose personal information resides online? If so, powerful and affordable hardware-based encryption technology from Cyphre can play a key role in achieving this.