Equifax delivers the 3:00 am burn notice to consumers and corporations.
Two renown Silicon Valley venture investors, Ken Elefant of Sorenson Ventures and TJ Rylander of Next47 discuss the depth of the Equifax Data Breach, cybersecurity issues, best practices and safeguards for all corporations.
On September 7, 2017, Equifax announced a data breach on the full range of credit information on up to 143 million consumers, full names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers.
The Equifax breach appears to have taken place over a period of three months. Researchers at the Apache Software Foundation first reported the Apache Struts vulnerability on March 9, 2017, which is part of the open source web server software widely used among corporations. Software updates and patches were available to address the security flaw, but the company did not take immediate action to update their web servers.
Equifax discovered the breach in their network on July 29, 2017. The company’s website claims the intrusion occurred from mid May through July 2017.
The points discussed above (click on the interview) by Ken Elefant of Sorensen Ventures and TJ Rylander of Next47:
The extent of the data breach and the sheer number of consumers affected is going to have long term consequences and will probably require new methods of secure identification.
Utility and access to applications has always trumped security concerns. Users have repeatedly accepted low or poor security in the name of easy access.
One of the important ways companies protect themselves is to set up a Red Team which is a designated internal team with the goal of launching a cyber attack and penetrating the company’s network. Equifax apparently never set up a Red Team attack and did not ensure the immediate patching of vulnerabilities when they were announced and made available.
Many of the most successful attacks take a “low and slow” approach, taking place over three to nine months, establishing ongoing penetration and movement throughout a specific network to evade detection from the existing network monitoring tools.
Company executives have responsibility and accountability for these breaches, it takes constant oversight and high-quality personnel to maintain system security.
Ken Elefant and TJ Rylander have years of experience as venture capital investors for cybersecurity companies. Both firms have a philosophy of contributing value to their portfolio companies by helping them build relationships with customers and partners. Each gave their perspective on how venture capital investors contributing to the success of portfolio companies.
Beyond the Interview:
What about Credit Monitoring or a Credit Freeze?
The internet discussions are full of comments on the low level of responsiveness to inquires made to the three primary credit rating agencies, Equifax, Experian, and TransUnion. If you wish to institute credit monitoring or a credit freeze, you must contact each of the three major credit reporting agencies.
The purpose of credit monitoring, fraud monitoring or a credit freeze is to prevent someone from impersonating you in a financial transaction such as obtaining a credit card in your name or purchasing an item on credit terms.
The policies on the cost of a credit freeze or credit monitoring seem to vary every few days. For the immediate time, it appears that calling each of the three agencies to initiate a credit freeze or credit monitoring seems to be the more reliable method.
You will be asked to enter your private information including social security number, birth date and components of your address to verify your identity and to place restrictions on the requests for your credit history.
To freeze your credit, contact these credit bureaus:
In summary, we are just at the beginning of sorting through the issues, how to provide security of our credit history and the personal information. Game Changers Silicon Valley will be posting a series of follow up articles on the procedures that we, as citizens, can effectively and selectively protect and restrict access to our credit information to specifically authorized parties.