Unraveling the Equifax Data Breach
Equifax is one of the three largest consumer credit reporting agencies, collecting information on over 800 million individuals and 88 million businesses worldwide. In September 2017, it announced that it had experienced a cyber-security breach, wherein the personal details of more than 145 million Americans was leaked. The information included their full names, addresses, driver’s license numbers, birthdays, and most drastically – their social security numbers. With all of these personal details in hand, malicious entities could open credit cards up in the victim’s names, purchase homes, open bank accounts, take car loans, etc.
Although the breach reportedly happened in July, it was not until September that the former CEO of Equifax, Richard Smith, released a public statement about the breach. In the lieu between the breach and the announcement to the public, CBS news reported that Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8 million USD in company shares almost immediately after. Equifax made a statement on the subject that suggested the executives were not aware that the breach had occurred at the time they sold their shares, despite the fact that Equifax detected the breach on July 29th, and the shares were sold on Aug. 1st and 2nd respectively.
So how did the breach even happen? The New York Times reported that the former CEO of Equifax claimed it was a single employee’s error. On several occasions, Mr. Smith referred to an individual in Equifax’s technology department that failed to ensure the implementation of critical software fixes and did not heed security warnings. Furthermore, the Department of Homeland Security had sent Equifax an alert in March about a critical vulnerability in software. Equifax has endured a number of breaches over the years, including one incident where a woman named Katie Manning received ~300 credit reports of random individuals in the mail after she tried to check her own report. The information on the other reports had details similar to those in the 2017 leak – social security numbers, dates of birth, bank account numbers, etc.
Furthermore, in the wake of this year’s data breach, Equifax set up http://www.equifaxsecurity2017.com/, which is a site to help people determine whether or not the data breach affected them. In order to demonstrate the vulnerability of this website and its domain name, a software engineer set up a fake website, rearranging the words in the domain to securityequifax2017. It was an example of a fake phishing site, purportedly set up to educate people rather than actually steal their information – and it worked. People fell for it. Not just customers of Equifax, but Equifax itself. The company’s official twitter responded to customer inquiries by tweeting the link to the fake site instead of the real one. A banner at the top of the fake site read “Cybersecurity Incident & Important Consumer Information Which Is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” What we have seen in the wake of this breach seems to be a series of human failures that, due to the magnitude of the company and the sensitivity of the information it handles, are having catastrophic reach.
Timing is key when notifying stakeholders of a breach. That Equifax took so long to make a statement about its July 29th discovery damaged consumer-business relations, particularly when combined with the knowledge that company executives were selling shares before information on the breach went public. By contrast, Article 33 of the General Data Protection Regulation (GDPR) states that organizations should notify stakeholders within 72 hours of discovering a breach. A lesson to be learned here will be to preserve stakeholder relationships by ensuring they are well informed of the goings on of their investment.
Individuals affected by the Equifax breach should additionally be mindful of scams cropping up to ‘assist’ them in the recovery, as there are many malicious entities that may see this as an opportunity to further take advantage of the leak.