What Kiwi businesses can learn from the Equifax data breach

As one of corporate America’s most experienced cyber security executives, Jamil Farshchi was already used to mopping up after cyber incidents when he was asked in early 2018 to join global consumer credit ratings giant Equifax.

In 2015, he had helped Home Depot recover from a devastating cyberattack that saw credit card details belonging to 40 million customers stolen. The US home improvement retailer later paid a US$17.5 million settlement with 46 US states and the Federal Government over the incident.

“I had a bit of a blueprint of what to expect, but Equifax was a completely different ballgame,” says Farshchi, Equifax’s chief information security officer, who has filled senior cyber security roles at Visa, Time Warner, NASA and the Los Alamos National Laboratory.

In March, 2017, hackers had stolen terabytes of customer data from Equifax’s IT systems, including names, addresses, dates of birth, social security numbers, and drivers’ licence numbers for up to 143 million Americans.

Here was a company responsible for verifying the financial health of a large section of the US population having failed to properly secure their information. The Equifax data breach ultimately started with an insecure consumer complaints web portal, but spiralled in scope due to multiple security failures.

“The first six or eight months was effectively a world tour to meet with all our customers, not just to offer an apology but, more importantly, to tell them what we had learned,” Farshchi remembers.

The hack cost the jobs of several senior Equifax executives, including CEO Richard Smith. His replacement, Mark Begor, joined Equifax about a month after Farshchi and gave him a clear mandate to reinvent the company’s approach to cyber security.

“He has this saying, ‘say do’. We aren’t just going to talk, we are going to deliver on what we say we will do,” explains Farshchi.

Equifax has since invested US$1.6 billion in bolstering cyber security. It was one of the first multinationals to publish an annual cyber security report and publicly released its control framework outlining its security practices and procedures.

The aim, says Farshchi, was not just to try to rebuild the trust of customers, but to help other businesses avoid the pain Equifax had gone through. “I think consistently, we’re viewed as a leader within the space and one that others should mimic if they are found to be in that same kind of situation.” 

Equifax made the call to “lean in” on transparency and to double down on preventative security measures and inevitable future cyber incidents. Crisis communications, he says, turned out to be of critical importance, but are often ignored by boards and executive teams until they “are in the middle of a firefight”.

Relationships with forensic analysis firms and external legal counsel were shored up and Equifax undertakes cyber security exercises with its board every year, as well as its teams around the world. “It helps to build up great muscle memory for how to respond,” says Farshchi.

But he admits that, for all its best practices on cyber security, Equifax could again be brought to its knees if “[hackers in] China or Russia decided to turn their cannon on us exclusively”.

“They would win that fight,” he says. “I cannot find them by myself.”

A major cyber security push by the White House is encouraging public-private partnerships and information sharing to build intelligence capability about the cyber threat landscape. Farshchi is a strategic engagement advisor to the Federal Bureau of Investigation and collaborates closely with the Cybersecurity and Infrastructure Security Agency (CISA).

Earlier this year, he received a call from CISA director Jen Easterly about a looming cyber attack the agency’s intelligence network had picked up. “Around 48 hours later, the attack started. Because I had that heads up from our government, I was able to make sure we had everything buttoned up,” says Farshchi. 

A regular visitor to customers in New Zealand and Australia, he says cyber security efforts in the region are “moving in the right direction”, particularly in Australia, where high- profile data breaches at Optus and Medibank in 2022 spurred legislative changes and a ramp up in federal cyber security spending.

“They saw first-hand what it’s like when you have a series of major cyberattacks and the effect it can have on the citizenry,” says Farshchi.

For New Zealand companies, he urges executive teams not to fall into the trap of thinking their risk profile is lower if they aren’t considered to be critical infrastructure players, such as banks, transport operators or power generators.

A wake-up call for the Americans, he says, was the ransomware attack on beef supplier JBS which shut down meat plants across the US and Australia for at least a day. JBS paid a US$11 million ransom to get its operations back online. A similar attack could be devastating for primary producers such as Fonterra and Silver Fern Farms.

Ransomware attacks, where hackers take control of IT systems and data, then demand money to unlock them again, remains the biggest security concern for Farshchi and his CISO colleagues, as well as the phishing attacks used to steal credentials that can enable a ransomware attack to be initiated.

“It’s just really easy right now to execute those attacks at scale, have a ton of success and generate a king’s bounty in terms of rewards for very little effort,” he says.

The rise of generative AI, as popularised by ChatGPT, is playing into the hands of hackers, he adds. It allows them to create more convincing emails and messages to mask their phishing attempts and to automate aspects of the malware development process.

“GenAI reduces the barriers to entry. I might not have any coding skills, but I can have bad intentions,” says Farshchi.

On the flipside, with the cyber security industry suffering a severe skills shortage, estimated at a deficit of three million positions worldwide, AI has a valuable role to play in automating network monitoring and taking the load off overworked cyber teams, he says.

New Zealand has a small but growing group of CISO professionals embedded in our larger organisations. Farshchi isn’t hung up about the job title – some IT managers or CIOs (chief information officers) also have responsibility for cyber security.

Instead, he urges business leaders to place appropriate value on the insights cyber professionals bring to mitigating the risks the organisation faces.

“I think, oftentimes, people pigeonhole security folks. It’s just cyber security. But to be good at security, you have to be good at technology as well,” he says.

“Those people know much more than you probably think about how the business fundamentally operates, the technology stacks and the digital footprint that most companies need to be investing in.”