An ASU director testified at a Senate Banking Committee hearing on Oct. 4 that focused on the Equifax data breach announced on Sept. 7.
Jamie Winterton, director of strategy for ASU’s Global Security Initiative, was critical of how Equifax handled the breach, which affected 145.5 million Americans, as well as the IRS’s decision to grant Equifax a no-bid, $7.25 million contract despite the credit company’s recent breach.
Equifax, which was hacked over the summer, did not publicly announce the breach until September. The breach was originally projected to have affected 143 million people, but the company later added 2.5 million more to that estimate.
During her testimony, Winterton emphasized that while being careful with data isn’t simple, Equifax’s errors were inexcusable.
“My main point in my testimony was that it’s not impossible to be a responsible steward of personal data systems, but it’s not easy either,” Winterton said in an interview with The State Press. “Some of the security gaps in Equifax’s security posture were really inexcusable.”
Throughout the committee hearing, former Equifax CEO Richard Smith, who retired in late September, said one individual's mistakes led to the breach. Winterton, however, said the blame shouldn’t be placed on one person within the company.
“To me that’s not a human error – that’s an organizational error,” Winterton said. “If you have a single person that’s responsible for patch management system of a huge company that contains very serious personal data – that’s a problem that the organization isn’t valuing security. That’s not the fault of one guy not doing his job.”
Winterton also criticized Equifax for not encrypting data, a practice she said every company should be doing.
“It’s not terribly expensive – it doesn’t take a lot of time. It’s an easy way to take that extra step towards security,” Winterton said. “So that way, if someone does get into your system at a certain level, as long as they don’t get the encryption key, they’re not going to be able to make any sense of that data. Storing things in plain text is really irresponsible in my opinion.”
Adam Doupé, associate director of ASU’s Center for Cybersecurity and Digital Forensics, said the breach and the way it was handled underscores the importance of protecting data, but that fixing the problem is nearly impossible.
“It's definitely a long-term and difficult problem, and honestly, I don't know if we’ll ever be able to get rid of it,” Doupé said. “It’s a pipe dream, but I think the important thing is to think about what things we can do to measurably improve the security of an organization.”
Doupé also said that when looking at breaches for major companies with sensitive data, security teams have to think like potential attackers.
“Would I spend my time trying to break into a mom-and-pop business that has 10 employees, or would I want to break into the company that hold credit information on hundreds of millions of Americans?” Doupé said. “They had a big target on their back. It's hard to pin this to one company. Some of the details coming out point this to being a more cultural problem in that they didn't value security as an organization.”
Winterton said companies like Equifax should work with professors and the government to solve the problems.
“I do think we need to bring government, industry and academia together to help solve these problems,” Winterton said. “I don’t think we’re going to make much of a difference if we don’t.”
She also said that while data breaches may not be completely avoidable, the damage can be controlled.
“If you break into a system, you can get almost anything you want,” she said. “It’s time we start thinking about systems that are more resilient instead of just resistant.”
Despite criticism from multiple senators, the IRS is still keeping its contract with Equifax. In a statement emailed to The State Press, the IRS said it reviewed the situation and does not currently believe the breach has affected IRS data.
“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems,” the statement said. “At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”
Winterton said other companies provide similar services, but that it is possible Equifax was best for the job.
“(Equifax has) a long way to go before they start to keep that information safe,” she said.