How Not To Be The Next Equifax

Lessons learned from 2017’s breach of the year.

 
 

Top-Level Takeaways

  • NAFCU says some credit unions have already re-issued cards; many fear a repeat.
  • FS-ISAC advises challenge questions that wouldn’t be answered in stolen data.

Here’s a New Year’s resolution: Don’t let 143 million consumers see their personal data hacked because the credit union didn’t patch a known security flaw.

The advice is too little too late for Equifax, one of the three major U.S. credit bureaus and the only one responsible for 2017’s most notorious data breach.

Although it can take months if not years for card fraud and other misdeeds to start showing up via players on the Dark Web, NAFCU says a lot of credit unions aren’t waiting around.

 

 

According to the trade group’s latest Economic & CU Monitor report, 20% of surveyed credit unions have re-issued cards because of the breach. And 63% said they were “very concerned” about another Equifax-type breach in the future.

NAFCU also says 64% of respondents to its survey now have a chief information security officer to “exclusively manage cyber-related activities” at their institution.

Looking for more credit union insights on credit card security? Check out How Two West Coast Credit Unions Handle Card Breaches. Only on CreditUnions.com.

Those CISOs have plenty of company, if they choose to network outside their own walls. For instance, FS-ISAC earlier this year hired its first Credit Union Council manager, and she points out that cards aren’t the only concern.

“There are myriad ways this information can be used,” Heather McCalman says. And it can be very hard to pinpoint which breach caused which fraud.

But, as McCalman points out, while the purloined data from Equifax includes names, addresses, and driver’s license and Social Security numbers, it’s not clear that credit reports themselves were taken. Thus, changing challenge answers can be a simple yet powerful tool for thwarting theft from this breach.

These types of issues are fertile ground for those who feel that that the answer for management and governance programs is more regulations and oversight by the government.

Gene Fredriksen, Chief Information Security Strategist, PSCU

Institutions can ask out-of-wallet questions, such as “at what branch did you open your account” or “what collateral did you use on your car loan?” Requiring that would be a good resolution for 2018, either way.

The global consortium of public and private institutions and organizations also offers these two to-do lists:

It Should Have Been So Simple

Heads rolled at Equifax. The breach cost the CEO his job, along with the chief information and security officers. And it was apparently avoidable. One employee didn’t make a patch for a known flaw in the company’s Apache-powered servers, the former CEO told Congress.

“People didn’t follow up,” says Terrie O’Hanlon, chief marketing officer at DefenseStorm, an Atlanta-based provider of security services to more than 25 credit union and other financial clients. “It wasn’t escalated. Here’s this patch and it needs to be done, but it never happened.”

An average-sized credit union sees more than 2 million potential threats a day, which then become 200,000 alerts.

“From there you have maybe 186 items a day someone needs to look at,” says Steve Soukup, DefenseStorm’s chief revenue officer. “Someone needs to focus on separating the wheat from the chaff, and then there needs to be a conversation about it. It has to escalate. Technology can’t do everything.”

You Can Do It, Or We Will

It’s not a set of new rules, but a major government collector and analyzer of financial transactions and associated fraud has now also launched a fraud-fighting sharing service.

The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) says its new FinCEN Exchange will offer regular briefings with financial institutions to exchange information.

“This will enable financial institutions to better identify risks and focus on high priority issues, and will help FinCEN and law enforcement receive critical information in support of their efforts to disrupt money laundering and other financial crimes,” the network said in its Dec. 4 announcement.

FinCEN already distributes findings from its collection of Suspicious Activity Reports and Currency Transaction Reports. Participation in the new network is voluntary and doesn’t come with any new regulatory requirements, FinCEN says.

“The general consensus is that the Equifax issue was the result of a management failure,” says Gene Fredriksen, chief information security strategist at PSCU.

And if management doesn’t step up, someone else might.

“These types of issues are fertile ground for those who feel that that the answer for management and governance programs is more regulations and oversight by the government,” Fredriksen says.

 

Dec. 15, 2017


Comments

 
 
 

No comments have been posted yet. Be the first one.