Give credit where credit’s due, when it comes to our finances, whether business or personal, few of us can avoid using it.
We’re told to monitor our credit status, not only because it is an important part of managing our finances, but also because it can be an early indicator of identity theft. Which is why the reports that the US credit rating firm Equifax had suffered a data breach were particularly alarming.
While the full circumstances are still being established, Equifax issued a press release stating that ‘criminals exploited a U.S. website application vulnerability to gain access to certain files’. It appears that this vulnerability was due to a flaw in a tool used to support Equifax’s online dispute portal.
Frustratingly, the industry group that manages the open source software issued a statement announcing that they discovered the vulnerability – a flaw in the coding – and shared a fix for it back in March.
Worse still is the more recent confirmation from Equifax that they suffered a major hack involving a payroll related service in March.
Who is affected?
Equifax have announced that the data of 143 million Americans was stolen during the hack. This data included names, addresses, dates of birth, Social Security numbers, phone numbers. In addition, 209,000 US credit card numbers were obtained, in addition to “certain dispute documents with personal identifying information for approximately 182,000 US consumers.”
The company have also confirmed that the data of 400,000 UK residents has been illegally accessed, including names, dates of birth, email addresses and telephone numbers.
Why did it take so long to be made public?
The immediate assumption for a company delaying the announcement is likely to be self-interest. Data breaches are big news and bad news. Reputational damage can be extremely costly and it’s safe to assume that an organisation that has suffered a breach will take steps to limit this before they go public.
There can, however, be legitimate reasons for waiting to go public. There is the possibility that a criminal investigation may take precedence and disclosure of a breach could be withheld to protect the investigation. Also, organisations may not be aware of the extent of the breach and need to investigate, assessing the full scope of the breach and the consequences before they make an announcement.
Unfortunately, the circumstances surrounding the Equifax hack could be interpreted as self-interest, especially when you review the timeline and note the sale of shares and departure of key security staff.
What’s next for Equifax?
This has been a PR nightmare for Equifax. The reputational fallout from this breach has led the organisation to create a much-maligned website dedicated to providing consumers with information on the incident. The website itself has caused concern for vigilant consumers who have questioned the validity of the site after they were asked to enter their security details only to be met with a response screen telling them to enrol in complimentary identity theft protection. The protection on offer comes with its own negative publicity following accusations on social media that enrolling meant waiving the right to take legal action against Equifax over the breach. Equifax have since made it clear that the disputed arbitration language “will not apply to this cybersecurity incident.”.
It sure won’t. Equifax will inevitably have their day in court, as around 30 lawsuits against the company have been filed so far with one class-action lawsuit being filed alleging that Equifax had been negligent in protecting customer data.
Could the success of this hack be down to Equifax opting to save money instead of developing technical safeguards against cyber-attacks? If so, it’s just another example of a false economy in an environment where the old adage applies – if you fail to prepare, you prepare to fail.