LATEST NEWS

DataBank Announces ~$2 Billion Equity Raise. Read the press release.

Get a Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of team members will be in touch shortly.

Schedule a Tour

Tour Our Facilities

Let us know which data center you'd like to visit and how to reach you, and one of team members will be in touch shortly.

Get a Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of team members will be in touch shortly.

Schedule a Tour

Tour Our Facilities

Let us know which data center you'd like to visit and how to reach you, and one of team members will be in touch shortly.

Get a Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of team members will be in touch shortly.

Schedule a Tour

Tour Our Facilities

Let us know which data center you'd like to visit and how to reach you, and one of team members will be in touch shortly.

Data Breach Survival: Navigating the Storm with NIST’s Expert Playbook
Data Breach Survival: Navigating the Storm with NIST’s Expert Playbook

Data Breach Survival: Navigating the Storm with NIST’s Expert Playbook

  • Updated on January 18, 2025
  • /
  • 7 min read

In 2017, one of the most significant data breaches in history struck Equifax, one of the largest credit reporting agencies in the U.S. The breach exposed the personal information of 147 million individuals, including Social Security numbers, birth dates, and driver’s license numbers. The story of Equifax’s breach serves as a cautionary tale for businesses on the critical importance of securing sensitive data.

The breach occurred due to a known vulnerability in Apache Struts, a widely used web application framework. Despite the patch being available for months, Equifax failed to apply it for various reasons. Attackers exploited this vulnerability, gaining access to sensitive customer data for weeks before the breach was detected.

Equifax’s handling of the breach compounded the problem. After the attack was discovered in July 2017, the company delayed public disclosure until September, drawing sharp criticism. The breach not only shook consumer trust but also led to a $700 million settlement to compensate affected individuals (Fung, 2019).

Richard Smith, former CEO of Equifax, admitted in testimony before Congress that the breach was “entirely preventable” had the company followed standard cybersecurity practices (Smith, 2017). This breach highlights the dire consequences of delayed patch management and inadequate incident response. Equifax’s story illustrates how even a well-established company can suffer immense damage from a data breach, impacting its reputation, finances, and customer trust.

A Foundation To Do Better

The National Institute of Standards and Technology (NIST) has developed a comprehensive incident response framework (outlined in NIST SP 800-61) that can help organizations effectively handle data breaches like the one Equifax faced. This blog will walk you through the steps outlined in the NIST framework, using lessons from Equifax’s experience to underscore the importance of each phase.

Establish an Incident Response Policy

Before any breach occurs, a company must have an established incident response policy. This policy should define the company’s strategy for identifying, responding to, and recovering from a data breach. It must also clearly delineate the roles and responsibilities of the Incident Response Team (IRT). The IRT includes cybersecurity professionals, legal advisors, communication officers, and other critical stakeholders who are tasked with responding to security incidents.

In the Equifax case, the lack of a well-defined response protocol exacerbated the damage. Not only did they fail to patch a known vulnerability in their system, but once the breach was discovered, their delayed public disclosure caused further reputational damage. Companies should ensure they have a protocol in place for quick and transparent communication with the public if a breach occurs.

Key Elements of an Incident Response Policy:

  • Defined Team and Roles: Assigning team members responsible for detection, analysis, containment, and recovery.
  • Criteria for Identifying a Data Breach: What events trigger the response plan (e.g., unauthorized access or system anomalies).
  • Communication Plan: Internal and external communication protocols, including customer notification requirements.
  • Escalation Procedures: Steps for escalating incidents based on severity and impact.

Prepare for a Data Breach

Preparation is the most critical phase of any incident response plan, and this is where Equifax fell short. By failing to update their systems with a known security patch, Equifax left itself vulnerable to exploitation. To avoid such costly mistakes, businesses must take a proactive approach to data security. This includes conducting regular security audits, applying patches promptly, and training employees to recognize potential security threats.

Key Steps for Preparation:

  • Patch Management: Ensure that known vulnerabilities are regularly patched and that there are no gaps in software security.
  • Security Audits: Perform routine assessments of your systems, applications, and network configurations to identify weaknesses.
  • Incident Response Testing: Regularly test your incident response plan with simulations or drills, ensuring your team is prepared to respond swiftly when a real breach occurs.
  • Employee Training: Educate employees on cybersecurity best practices and how to report suspicious activities or potential breaches.

By prioritizing preparation, companies can significantly reduce their risk of a data breach or at least minimize the damage if one occurs.

Detect and Analyze the Breach

Detection is the first step in responding to an actual data breach. Unfortunately, Equifax did not detect the intrusion until months after hackers had gained access to their systems. Early detection is crucial in minimizing the impact of a breach. Organizations should have monitoring tools and systems in place to alert them to suspicious activity.

Steps for Detection and Analysis:

  • Monitoring Tools: Implement tools such as intrusion detection systems (IDS), security information and event management (SIEM) solutions, and endpoint detection and response (EDR) systems to continuously monitor network activity.
  • Identifying Indicators of Compromise (IoCs): Look for telltale signs of a breach, such as unusual outbound traffic, unauthorized login attempts, or data exfiltration.
  • Perform Triage: Once a potential breach is identified, conduct a triage to determine the severity and scope of the breach. Identify the compromised systems, the type of data involved, and the timeline of the intrusion.

In Equifax’s case, their failure to detect and respond promptly allowed the attackers to stay within the system for an extended period, exacerbating the damage.

Contain the Breach

Once a breach is detected, the next step is containment. Containment involves isolating the affected systems and preventing the breach from spreading further. This step is vital in preventing additional damage and ensuring that attackers cannot continue to access or exfiltrate data.

Types of Containment Strategies:

  • Short-Term Containment: This involves immediately isolating affected systems to stop the attack’s progression. For instance, disconnecting compromised systems from the network or disabling user accounts that have been breached.
  • Long-Term Containment: After short-term containment, long-term measures should be implemented, such as applying patches, reconfiguring security settings, and monitoring systems to ensure the breach is fully under control.

Equifax failed to effectively contain the breach after its detection, allowing attackers to access sensitive data over an extended period. Swift and decisive containment is essential to limit the damage in any breach.

Eradicate and Recover

Once the breach has been contained, the next phase is eradication—removing the threat actor and their artifacts (e.g., malware, backdoors) from the system. Recovery involves restoring systems to normal operations, ensuring that security gaps have been addressed, and continuously monitoring for any signs of residual threats.

Key Actions:

  • Eradication: Remove malware, fix vulnerabilities, and close any backdoors used by the attackers.
  • Recovery: Restore affected systems from clean backups, monitor the system for any lingering signs of compromise, and validate that the vulnerabilities exploited during the breach have been addressed.

In the aftermath of their breach, Equifax had to undertake extensive recovery measures, including reconfiguring their security infrastructure and compensating customers affected by the breach.

Post-Incident Activities

Once recovery is complete, organizations should conduct a post-incident review to identify lessons learned and improve future responses. This phase involves documenting the breach, analyzing what went wrong, and refining the incident response plan accordingly.

Key Steps in Post-Incident Activities:

Incident Report: Document the breach’s timeline, impact, and the effectiveness of the response efforts.

  • Lessons Learned: Analyze the gaps in detection, response, and containment. What could have been done better?
  • Policy Updates: Use the lessons learned to update the incident response policy and improve security controls.

Equifax’s post-breach recovery involved costly settlements and a commitment to improving their cybersecurity practices. Businesses can avoid this level of damage by ensuring they learn from each incident and continuously improve their response mechanisms.

Conclusion

The Equifax breach is a stark reminder that no organization is immune to data breaches. By following the NIST framework—preparing, detecting, containing, eradicating, and recovering—companies can minimize the damage caused by a data breach and maintain trust with their customers. While Equifax’s delayed response and lack of preparation allowed their breach to spiral out of control, businesses that adopt a proactive approach to data security will be much better equipped to survive the storm.

Bibliography
Fung, B. (2019, July 22). Equifax’s $700 million data breach settlement is the largest ever. CNN Business. https://www.cnn.com/2019/07/22/tech/equifax-data-breach-settlement/index.html
Smith, R. (2017, October 3). Testimony Before the U.S. House Committee on Energy and Commerce. Equifax.

 


About the Author

Mark Houpt

Chief Information Security Officer

Mark serves as DataBank’s Chief Information Security Officer and is responsible for developing and maintaining the company’s security program road map and data center compliance programs. He brings over 30 years of extensive information security and information technology experience in a wide range of industries and institutions.

View all articles
Get Started

Get Started

Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.

Get A Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of the team members will be in touch.

Schedule a Tour

Tour Our Facilities

Let us know which data center you’d like to visit and how to reach you, and one of the team members will be in touch shortly.