By now, you'll have heard about the breach at Equifax, leading to the leaking for PII relating to about 143 million people in the US, Canada and the UK. While it's unlikely many Australians were directly affected, the nature of the breach highlights why mandatory data breach notification laws are important, that notification periods are critical and you need to ensure you're ready to communicate with anyone whose data your store.
Equifax is a credit checking agency. They hold massive volumes of personal data. Late last week, Equifax disclosed that a vulnerability on their website resulted in the exposure of around 143 million data records. While not the largest breach of personal data ever, it's arguably one of the most severe due to the nature of the data. The payload is believed to include names, social security numbers, birth dates, home addresses and some drivers' license information.
According to Equifax, the breach occurred between May and July this year. Yet it took until September for them to reveal the hack.
This is not atypical. Anyone who follows the infosec scene will have read the myriad annual security reports telling us the average time to detect a breach is around 180 days.
Simon Townsend, Chief Technologist for EMEA at Ivanti said "The real issue here is the time taken to respond and kick off the remediation process. The reason it took 40 days to report is unknown but it will no doubt come down to a common challenge that many organization face when IT teams and the business are not aligned or are not in sync when it comes to technology, processes and workflows".
With new breach notification laws set to come into effect in Australia next February, it's time to create and rehearse processes to detect breaches, report them to the Privacy Commissioner, and notify all affected parties. It's that last one many companies fail to pay enough attention to.
When the Red Cross Blood Service suffered a leak last year, one of the things they did particularly well was to notify all affected parties by email, SMS and through the media. If you were an affected blood donor, there was little chance of slipping through the communications net.
Are you similarly equipped? And have you tested your processes?
Over the coming weeks, we'll read a lot more about the Equifax breach as the forensic investigation continues. But for Australian businesses, it's a powerful reminder that it's time to get your breach notification house in order.