Supplier Risk Monitoring

Cybersecurity in 2017: Chronicling the Equifax Data Breach

Avatar Written by Dilip N

Equifax, one of the three largest credit reporting agencies in the US, reported a major security breach in September 2017. Equifax stocks plunged more than 13% in the after-hours trading following the announcement of the breach and still have not recovered completely. There are more than a dozen ongoing lawsuits against the company which will continue to takeaway not just the management bandwidth but also affect its reputation. The event will have its bearing on the entire credit rating sector, as there are calls for scrutiny into the operations of all credit rating companies.

Equifax gets people’s data from banks, credit card companies, lenders, and retailers. The data breach is one of the worst ever because of the amount of people affected and the sensitive type of information exposed.

Hackers exploited an Equifax website vulnerability which is said to have affected nearly 143 million US customers. 100,000 Canadian customers and 400,000 UK customers were also impacted. The intruders gained entrance into the company’s data from May until July 2017. The hackers accessed personal information like Social Security numbers, names, addresses, birth dates, credit card numbers, and also license information.

The attackers gained access to the Equifax system by exploiting vulnerability in the Apache Struts web-application. The bug had actually been disclosed back in March 2017 and a patch to fix it was available. Even though Equifax had ample opportunity to update and was aware of the patch, it still did not manage to successfully apply it several months later. It was also later revealed that Equifax had suffered a breach in March 2017, on which the company did not share any details. It is unclear if there is any link between the two breaches, but the first attack should have been a warning signal to take appropriate actions. The breach has led Equifax to face dozens of lawsuits from individuals, credit unions, shareholders, etc.

How the situation turned from bad to worse

  1. Delayed Data Breach Disclosure & Insider Trading Allegations: Equifax claimed that it learned about the data breach at the end of July 2017. The company took around six weeks to disclose the same during which four senior executives sold shares prompting an investigation by the US Justice Department. Ambiguous trading aside, at the least one would expect that Equifax might have used the time to draft a response and create a system for allowing customers to check whether their data was exposed or not. Instead, the company announced the sudden retirement of its CEO.
  2. Misdirecting Potential Victims: The first thing that people want to do when they get to know about a breach like this is to check whether their data was accessed. Instead of letting people to check on its main, trusted website, Equifax directed potential victims to a new domain which was bug-ridden and flagged by some browsers as a phishing threat.
  3. Waiving the Right to Sue: Post the data breach, it was reported that if a person wants to find out from Equifax’s website if his data is exposed, he waives his right to sue Equifax and must resolve all disputes by binding, individual arbitration. The waiver/arbitration clause set off a mild firestorm on social media. Only later, after closely reading the offending clause, it was clear that the class-action waiver and agreement to arbitration applied to Trusted ID (subsidiary of Equifax), and not to Equifax.

Other Recent Data Breaches

  • Uber witnessed a hack in 2016 affecting 57 million customers and drivers worldwide and 2.7 million users in the UK.
  • During September 2017, Deloitte was hit by a cyber-attack granting the hackers access to restricted areas and information.
  • Yahoo disclosed that all of its 3 billion email users were likely compromised in a 2013 breach that it disclosed in 2016.

How is the Equifax breach different from others?

In all of the above-mentioned breaches, the customers, clients, or users were affected. Leaving the affected data from the breach aside, if any of them want their information to be removed from the databases at any point of time, the same can be processed. But in Equifax’s case, people have no choice. Their information is included whether they want it or not. Plus, consumers are not the customers but their information is the commodity of Equifax and other credit bureaus.

Despite a data breach of this magnitude, the chances of Equifax or the broader industry being forced out of business are extremely slim. There is no disputing that Equifax will face challenges, might lose on clients, but a demise of the business is unlikely. Both Equifax’s and other credit bureau’s business of collecting personal and financial data from consumers and selling it to lenders is what keeps the credit spigot open.

A next blog in this series discussing the ‘Impact of Equifax’s Data Breach on Credit Reporting Industry’ will be published soon.

For more insights/updates on cybersecurity risks, check out Supply Wisdom AlertsTake a free trial to see how we can help you stay up-to-date on latest trends and be more proactive about monitoring and managing risks across your global locations and suppliers.