Equifax is one of the major credit reporting agencies in the United States, whose primary business involves collecting and maintaining consumer credit information to provide reports to lenders, businesses, and consumers. A 2017 Equifax Data Breach was one of the largest in history. Approximately 148 million people were affected, of which highly sensitive information such as social security numbers, birth dates, and addresses were compromised. The aftermath and results of the breach were devastating. However, a key question underpinning it all emerges: Was it preventable?
Stemming from an unpatched vulnerability in an open-source web application framework known as Apache Struts, web hackers exploited this vulnerability to access Equifax's databases and steal personal data. Although a security patch had been released months earlier, Equifax failed to act in time. The hackers moved undetected within the network for several months before the breach was discovered.
The 148 million people affected were exposed to identity theft, credit fraud, and phishing attacks. Equifax itself faced a significant financial penalty, including a settlement that required them to pay up to $700 million to affected consumers and regulatory bodies, in addition to the massive reputational damage Equifax faced.
Detailed reports released by the US House Oversight & Accountability Departments highlighted the preventability of Equifax's data breach. They urged companies to take action against lack of management structures, outdated systems, and neglecting security certificates.
US House Oversight
House Oversight & Accountability
Through research on Equifax and recommendations from the US House Oversight and Accountability Committee, we recommend the 3 factors listed below as critical to preventing data breaches: Security Certificates, Systems Infrastructure, Consumer Education. Before you click more to learn about each topic, we encourage to think about the questions below.
For Corporations: What is a security certificate? Are all of your security certificates activated? Does everyone in your IT Department know how your security systems function? When was the last time your security systems were updated? Do you think your security systems are designed in the most optimal way?
For Consumers: Do you know what sensitive information you have willingly shared? Do you know all the places you have willingly shared it? Have you ever fallen for a phishing attack? Do you look out for any suspicious notifications on apps where you share sensitive data? Would you know how to spot it?
For both consumers and corporations, if you found yourself hesitating or struggling to answer some of these questions, there may be more steps you can take to protect your right to data privacy. Click through each of these boxes now and find out what lessons we learned from Equifax, and how the entire breach could have been preventable.
At the time of Equifax's Data Breach, over 300 security certifications were expired, including those central for monitoring business-critical domains. This lack of oversight contributed to the breach going undetected for months. In fact, a study by Forrester Research further found that over half of data breaches occurred due to avoidable certificate-management issues, highlighting the disconnect between companies who callously assume their systems are strong enough to withstand the increasingly sophisticated abilities of hackers.
Forrester Research
The Equifax data breach was aided by the company's complex, legacy IT systems. The US House Oversight report released highlighted a sizeable gap between IT policy development and its execution due to unclear lines of authority, leading to delays in security implementations. This, coupled with Equifax's slow response time to its unpatched vulnerability, led to a nearly six-week gap between the time of the breach and when the public was informed. Such concerns highlight that data privacy should not be an area of cost-cutting for companies, as the Equifax breach could have been avoided if the company had invested more heavily into its data privacy systems and mechanisms.
While the majority of the fault in the Equifax data breach falls on the company, a disconnect in consumer education undoubtedly led to the six-week period between the hacking and when the public was informed. A major issue was that many affected consumers were entirely unaware of credit report monitoring, fraud alerts, and credit freezes. Consumer education on these tools could have allowed individuals to monitor their credit and catch suspicious activities earlier. Moreover, the aftermath of the breach was amplified as consumers searching for assistance online were further taken advantage of by fake websites posing as official Equifax resources. All of the information provided underscores how lessons can be taken away from Equifax for both a consumer and a company, as one of the most devastating data breaches in history was also, unfortunately, one of the most preventable.
Sources:
US House Oversight
House Oversight and Accountability
Forrester Research