Key takeaways from the Equifax security breach.
Equifax breach: Why the aftermath has victims caught in chaos

Equifax—one of the "Big Three" credit reporting agencies—announced on September 7th that it fell victim to an enormous data breach, which exposed the private data of about 143 million Americans. Apparently, they allowed room for the breach to happen because they failed to patch a known vulnerability.

The worst part of the breach wasn't that there was a massive exposure of personal data. No, the most depressing part of this ordeal was that worried customers who followed Equifax's instructions encountered a website with serious security issues.

Hosts breach response on shared SSL, misdirects victims.

The website Equifax set up as a response to the breach, equifaxsecurity2017.com, was made for customers to find out if they were affected by the breach. Here's why this wasn't a great idea:

  • The breach response site was hosted using a Cloudfare shared SSL. This means that there are thousands of other websites out there using the same SSL certificate. Compromise of just a single private key for this SSL means a possible man-in-the-middle attack on every website that uses that particular certificate.
  • Since the breach response website was secured using shared SSL, trusted security tools started flagging the domain as insecure, which only added to the chaos.
  • As expected, many phishing sites with names similar to equifaxsecurity2017.com started to emerge. One such site, "securityequifax2017" was created by a security professional just for the sake of trolling Equifax's security practices. Soon, Equifax themselves were caught in the trap and started directing users to the imposter website!

What Equifax failed to do.

It's usually during the aftermath of a breach that hackers thrive. Customers start panicking, so hackers try to benefit from this panic by stealing customer data. Had Equifax adopted any one the following approaches for constructing their breach response website, the breach's aftermath would have been much less chaotic.

  • Use their home domain: The breach response site could've been hosted on Equifax's home domain (equifax.com) instead of a new, dedicated site. Using their home domain would have given their users no apprehension about its legitimacy.
  • Extended Validation: Equifax's breach response website should've been secured with an Extended Validation (EV) SSL certificate, which guarantees the highest level of security for a website.

Many enterprises also fail to recognize and remedy the following parameters:

  • Tracking the expiration of SSL certificates.
  • Overlooking vulnerabilities in certificate configurations.
  • Using self-signed certificates for public-facing websites.

Today, websites tend to serve as the primary interface between an organization and its customers. Enterprises should take sole responsibility for keeping their website intact and secure. SSL certificate management solutions such as Key Manager Plus help organizations secure their domains with SSL certificates, identify vulnerabilities associated with their websites, and track certificate expiration with ease.

Click here to learn more about how Key Manager Plus can provide you with much need security and information about your website.