‘Biggest in history’ breach has lessons for UK businesses
In an announcement after normal business hours on Friday 15 September, credit reference giant Equifax made the astonishing admission that 400,000 UK consumers’ details may have been compromised as part of a massive security breach that took place between May and July 2017.
The FT notes that “If Equifax’s concerns are borne out, the data breach would be the biggest in UK cyber history.”
Regardless of the implications for security industry generally, what really puts the cat among the pigeons is that the data was obtained from servers in the US, not the UK. At a time when data location is already such a big issue there are likely to be extensive repercussions.
What happened at Equifax?
So far, Equifax has confirmed that 143 million US consumer names, social security numbers, birth dates, addresses and so on were affected by the breach, and that the incident seems to have occurred through a vulnerability in Apache Struts, an open-source application framework that supports the Equifax online dispute portal web application.
Equifax has stood down its CIO and chief security officer, and is still undertaking investigations. In the case of the compromised UK residents’ information, it is already in dialogue with the Financial Conduct Authority and Information Commissioner’s Office.
Theoretically, of course, there should have been all kinds of procedures in place to protect UK and EU citizens’ data stored overseas on Equifax’s systems. Equifax hasn’t yet been that forthcoming about what went wrong, but has stated: “Regrettably, the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.”
Why does it matter where data is stored?
With the growth in cloud services data location has become an ever-thornier topic for the EU and the US. Until October 2015 – i.e. most of the period covered by the Equifax data – EU privacy law forbade the movement of its citizens’ data outside of the EU unless it was transferred to a location which was deemed to have adequate privacy protections in line with those of the EU. This principle was known as the ‘safe harbour’ agreement.
Following a test case, the European Court of Justice ruled that ‘safe harbour’ was no longer valid. This triggered a rush to close down any potential loopholes that could affect US corporations doing business in the EU; for example, Microsoft was quick off the mark in assuring Azure customers that it was playing by EU rules.
Safe harbour’s ‘replacement’ – Privacy Shield – was accepted by the EU in July 2016, and US businesses became able to self-certify that they would stick to its terms. But plenty of concerns were expressed that it still did not do enough, and UK-based Privacy International claimed Privacy Shield fell below the standard necessary to guarantee the protection of individuals’ rights to privacy.
In any case, as we’ve seen, Equifax claims it did not correct the error that led to UK consumer data being held on US systems until 2016. We don’t yet know what its fix entailed, nor why data relating to the period 2011-16 appears to have remained vulnerable.
GDPR and data location
UK firms are currently preparing for the introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018, and many are having to completely overhaul their approaches to data privacy in order to comply. In particular, they need to pay close attention to data location.
There already appear to be conflicts between GDPR and existing US data privacy legislation around what should be expected as a minimum standard of protection. And because the penalties for failing to comply with GDPR are potentially going to be so severe, knowing where your business’s data is located has become a critical risk factor.
The reputational damage and financial penalties for the Equifax breach are likely to be considerable. If GDPR had been in force, the potential fines could have been stratospheric.
Ensuring data is stored in the UK
Even after Brexit, UK firms are essentially going to have to comply with GDPR – not only if they trade with the EU, but because all of its key aspects are being transitioned into UK legislation.
The immediate warning from Equifax story is that every business that hasn’t already done so should audit exactly where its data currently resides, and take immediate, appropriate steps to ensure compliance (Vohkus can point you in the right direction for help if you need it).
If you’re setting up new off-premises services in the cloud, it’s even more essential that you make sure your data is physically located in the UK. For public cloud, that means looking at options like Azure. For private, shared or hybrid solutions it means being certain your data is held in the UK for both live systems and backups. That’s exactly the kind of fundamental principle that led us to become an UK provider of cloud services in the first place.
There’s likely to be plenty of fallout from the Equifax revelations to come. But for the moment the story acts as a wake up call to all of us to make sure our data is absolutely, certainly, in the right place.