A Bevy of Cybersecurity Pitfalls Marred Equifax's Handling of Insider Threat
Equifax knew its employees were sending confidential data out of the company. So why couldn't it stop the activity?
September 18, 2018 at 12:00 PM
7 minute read
Equifax's headquarters in Atlanta. (Photo: John Disney/ALM)
According to a recent report by The Wall Street Journal, two years before the credit agency Equifax suffered one of the biggest data breaches in history, the company was hit by a possible cyberespionage-linked theft of confidential business information by former employees.
All the former employees believed to have participated in the alleged theft were suspected to have connections to the Chinese government, though the WSJ noted that U.S. law enforcement authorities did not have enough evidence to definitively make that determination.
At least one suspected employee—Daniel Zou, a Chinese-born Canadian citizen who worked in Equifax's Toronto office as a product manager before moving to Chinese fintech company Ant Financial—unequivocally denied stealing confidential information in an interview with the WSJ.
To be sure, Equifax had data-loss prevention and employee monitoring systems in place, and was able to uncover, in real time, the ongoing exfiltration of confidential data by its employees. So why did the data end up leaving the organization anyway?
A look at the ways in which Equifax uncovered—and ultimately failed to stop—employees exporting corporate data sheds light on pitfalls many companies can fall into when trying to combat insider threats within their own ranks.
|The Personal Email Vulnerability
According to the WSJ, those investigating the potential insider threat at Equifax became alarmed when they discovered multiple employees “had sent codes to their personal email accounts and uploaded it to software-development platforms others could access.” For his part, Zou called this suspicion a misunderstanding, noting that he had a habit of sending work-related documents to his own email so he could continue to work from home.
But the question remains: Why didn't Equifax restrict employees from emailing sensitive information outside the company, for example, by using secure document management systems?
Joshua Robbins, partner at Greenberg Gross, said it might not be that simple. “It's very hard form a technology standpoint to block any ability to take any information out of the company unless you go to a very locked down approach.”
Such an approach, however, isn't business-friendly. “The problem is, it's impeding the work for employees who are trying to do their jobs and be more productive, especially these days when telecommunication and working from home is pretty common practice.”
What's more, it may be challenging for Equifax, and indeed any company, to determine exactly what information should be locked down. “The line between what are trade secrets and commercially secret information and what is sort of routine activity can be difficult to draw,” Robbins said.
Of course, any controls that are put in place to prevent data exfiltration are never foolproof, and an employee intent on circumventing them may at some point likely succeed.
After all, “if nothing else people can pull out their iPhones and take pictures of their computer screens, and there's no way companies can track that without searching employees' mobile devices,” Robbins said.
|The Data Loss Alerts
On some level, Equifax was aware its employees were sending confidential information to their personal email addresses. The WSJ noted that Equifax had a data-loss prevention system that flagged Zou's activity. But the business information was still sent out of the organization. So what happened?
“There are many different possibilities here,” said Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney's Office for the Southern District of Florida.
He added, “Sometimes companies find themselves, for a number of reasons, moving slowly when unusual information activity is detected early.”
One reason may be a lack of resources. “It could be that there is such a high volume of false negatives and limited resources in the security department, and at some level if there's too high a volume, you can't expect them to be on top of everything,” Robbins said.
Another reason could be that the systems used for monitoring aren't accurate. “Sometimes the monitoring systems overreports [its findings] and therefore the personnel that are responsible for it sort of ignore the alert alarms,” said Sharon Klein, partner and chair of the privacy, security and data protection practice at Pepper Hamilton. “So it's hard to decipher which of those incidents are really important and could cause a security incident.”
The report, however, noted that the data-loss system did not alert Zou that his activity was flagged. This might have been intentional. “A company would want to identify what they believe to be exfiltration and stop it while not telling the employees” as part of an investigation, Christian said.
But there are advantages in alerting employees as well. “Part of the function of that is to discourage employees who are acting in good faith and make sure they are thinking about this issue,” Robbins said.
What's more, “it also makes it easier to prosecute [an employee], or go after them civilly, if you can prove that the alert was provided,” he added.
|Access and Distractions
The suspicion that the data exfiltration was linked to the Chinese government was driven in part by investigators' discovery that Zou accessed the company's human resources system and printed out contact information on ethnically Chinese Equifax employees—a charge Zou denies.
If true, however, the fact that Zou had access to HR records at all could potentially highlight a major flaw in Equifax's security—and one that all companies should guard against. “That is a significant problem, because HR information tends to be very sensitive,” Christian said.
“Unless he performed some sophisticated hacking to get access to it, it's a little surprising that an ordinary employee or even an executive would have access to the company's HR system,” Robbins added. “You'd think typically those are protected and have more limited access than other systems.”
Equifax, however, was so concerned that other ethnically-Chinese employees were part of the insider threat that it built a short-lived security system to monitor only those employees, according to the WSJ.
Such a monitoring program could run Equifax into legal trouble. Robbins noted that “under U.S. laws, both state and federal, there is a big risk for companies if they're targeting a particular subset of employees.”
Still, Robbins said it is not hard to see why Equifax, or really any company, might focus exclusively on a particular group or threat. “From the standpoint of security personnel at the company, in a world of limited resources, they are going to be interested in focusing on what they take to be the highest threats and be data-driven in terms of their security, so you can see why they did it.”
But he added that companies should still be cautious and only roll out security processes that are supported by evidence and narrowly targeted. “It's well-advised to tread carefully about coming up with a broad policy in this area.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
