The Equifax data breach: what directors need to know

Tuesday, 12 September 2017


    A massive data breach at US credit-reporting company Equifax is providing a cautionary tale on what not to do in response to a cyber attack.

    What happened?

    Last Thursday, 7 September, the US credit-reporting company Equifax disclosed it had been subject to a hack that had exposed the data of 143 million Americans, a little over 40% of the US population. The information includes social security numbers, birth dates, addresses, driver's license numbers and credit card numbers for 209,000 of those affected and 'dispute documents with personal identifying information' of 182,000.

    It is being called the worst data breach in history. "Other cyberattacks, such as the two breaches that Yahoo announced in 2016, have eclipsed the penetration at Equifax in sheer size, but the Equifax attack is worse in terms of severity," according to the New York Times. “This one is a different animal in the sense of the nature of the information that was breached,” Richard Fairbank, chief executive of financial services company Capital One, said.

    How did it happen?

    The hackers exploited a website application vulnerability to gain access to the huge database of personal details from mid-May through to July, according to Equifax's public statement. Outside of that statement, Equifax has been vague on the source of the breach. the New York Post reported that Equifax had told an investment analyst the hack exploited a flaw in open-source Apache software STRUTS, a system that's used widely by major companies including Lockheed Martin, Citigroup and Virgin Atlantic. Apache has released a statement saying, "At this point in time it is not clear which Struts vulnerability would have been utilized, if any. The software provider went on to say that the hackers could have used a vulnerability announced in July on an unpatched Equifax server or "exploited a vulnerability not known at this point in time – a so-called Zero-Day-Exploit."

    In light of the breach, security researchers have started scouring the company's digital architecture for weaknesses, claiming to have identified potential vulnerabilities where the company relies on archaic code and technology.

    How has Equifax responded?

    The company waited six weeks after it discovered the breach before going public. It has been roundly criticised for denying those affected by the breach critical time to take defensive measures.

    "Six weeks is a gold mine for identity thieves to wreak havoc on credit card and bank accounts," the Chicago Tribune editorialised. “Hackers by now could have sold all your information online on the dark net. Someone could be using it and you wouldn’t even know yet,” Hemanshu Nigam, founder of the online safety advocacy firm SSP Blue, told The Washington Post.

    Even Equifax's attempts to help the victims of the data breach have come under fire. The company offered victims a free one-year subscription to its credit monitoring service but initially required credit card information, which it would use to charge for the service at the end of the free period unless those taking up the offer proactively unsubscribed. Under pressure from critics who accused the company of profiting from the data breach, Equifax issued a statement that it would no longer request credit card details for the free offer.

    After initially charging people who requested freezes on new creditors seeing data their data files – a move which can prevent fraudsters from applying for credit – Equifax also announced on 12 September that it would waive fees on freezes.

    CNN has called Equifax's response a "public relations catastrophe". Public relations experts have called for more transparency from the company. "I want to know how did this happen... and where do we go from here," Ronn Torossian, CEO of public relations agency 5WPR said.

    What is the fallout so far?

    The revelation that three company executives – Chief Financial Officer John Gamble, President of U.S. Information Solutions Joseph Loughran and President of Workforce Solutions Rodolfo Ploder – sold shares worth almost USD 1.8 million in the days after the company discovered the breach, and well before it was announced publicly, has added fuel to the public outrage. “If that happened, somebody needs to go to jail,” Democratic Senator Heidi Heitkamp said. “It’s a problem when people can act with impunity with no consequence. How is that not insider trading?”

    American politicians have called for Equifax to provide more information on the steps Equifax took to safeguard information and their attempts to notify those affected by the breach. Committees in both the US Senate and House of Representatives have either scheduled hearings on the breach or sent ‘please explain’ letters to Equifax and its executives. The Trump White House, usually regulation averse, has said that it will consider new rules to protect consumer data. At least 32 class actions have already been filed against the company, according to the San Diego Union-Tribune.

    Are you and your organisation prepared for a cyber attack? Take the AICD's new Cyber for Directors course and be confident you can protect your organisation's data, while also seizing the opportunities of the digital age.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.