In the aftermath of the Equifax debacle last week, the credit reporting company is facing some tough questions and close scrutiny from consumers, members of Congress, state attorneys general and regulatory agencies. As well it should. Hackers exploited critical vulnerabilities and lax security practices that left the company wide open, and wound up compromising the vital data of 143 million Americans. To put that in perspective, hackers now have all the information they need to compromise the identities of more than half of all adults in the U.S.
“The Equifax hack is a perfect example that highlights how businesses can get bitten if web application security is not taken seriously. Researchers identified a cross-site scripting vulnerability on their website back in 2016, yet Equifax never responded to their reports and never fixed it,” said Ferruh Mavituna, President and CEO of Netsparker, a web application security company.
If you’re in the IT channel, you might be taking a good, hard, long look at what Equifax did—and didn’t do—to leave themselves open for such a breach. For consumers, one of the most outrageous things to come out of the investigation so far is that this is not the first time Equifax has had to deal with such a breach. Back in 2013, the company suffered a data breach that exposed the data of several high-profile individuals, including celebrities and then-first lady Michelle Obama. And Fast Company has a fascinating story on the Equifax’s abysmal history that’s definitely worth a read.
“It’s two strikes and you’re out for Equifax, which handles some of the most sensitive consumer information in the United States and now has permitted what is perhaps the worst breach of consumer information in our nation’s history,” said Dr. Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers (IAITAM). “After the breach debacle that Equifax went through in 2013, just four years ago, there is no conceivable excuse in the world for this kind of failure to happen again.”
From Target to Yahoo to Verizon, it’s clear that hackers’ abilities to maneuver through corporate networks and security practices are significantly ahead of what many companies have put in place.
“We know how to prevent these breaches and secure equipment, software, websites and apps,” continued Rembiesa. “There is just no excuse for this sort of thing to go on.”
Impact on consumers
The breach will undoubtedly have serious consequences for those whose information was exposed. Personal data has become one of the most valuable assets in the world, and the knowledge that consumers’ identities have been critically compromised is panicking people all over the country, as well as some in Canada and the U.K. who were also victims.
“[Personally identifiable information] can’t be changed or replaced,” said Kevin Lancaster of Dark Web monitoring and identity theft protection ID Agent. “You can’t change your mother’s maiden name, your social security number or your date of birth. It’s attached to you for life. So the impact of this data breach will be long lasting.”
There will be many waiting with bated breath to see who or what the bad actors will sell the data to. Was it an inside job? Will the highest bidder be an organization that wants to lead the most epic phishing scheme ever? Can nation-states use the data to manipulate elections or otherwise damage the country’s infrastructure?
“If we look at this from a helicopter perspective - a society that can’t protect its citizens’ personal information will eventually see the system collapse,” says Ebba Blitz, CEO of AlertSec. “Once a social security number is no longer a valid means of identifying oneself we have to establish a new, as of yet unknown, order.”
Even if you’re not an Equifax customer, the company still has a lot of your personally identifiable data. And the irony of one of the companies people rely on to safeguard their data being compromised on such an immense scale isn’t lost on security experts.
“Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data,” said Kenneth Geers senior research scientist at Comodo, NATO Cyber Centre ambassador, and former NSA/NCIS analyst.
Fallout for Equifax
Equifax seems determined to make the situation appear as badly as possible. We’ve learned the hack was discovered on July 29, but not publicly announced until a third of the way through September. Panicked consumers trying to find out whether or not their data was compromised (pro tip: go ahead and assume it was) have been stymied by jammed customer support phone lines and a website that gave inconsistent, incomplete information, when the site worked at all.
Then there were the three Equifax senior executives who sold shares collectively worth almost $1.8 million in between when the hack was discovered and when it was announced (shares have tumbled more than 20 percent since the hack was announced on Thursday). According to an August 1-2 regulatory filing, CFO John Gamble raked in a whopping $946,374; president of U.S. information solutions Joseph Loughran netted $584,099; and Rodolfo Ploder, president of workforce solutions, cashed in for $250,458.
Equifax is maintaining that the three had no knowledge of the hack, but that’s a little hard to swallow. After all, if you’re a high-ranking executive at a credit reporting agency that discovered a screw-up of this magnitude, it doesn’t make a lot of sense that the news would take eight weeks to hit your inbox. Though the accusations being leveled against the trio are only speculation at this point, millions of people are (rightly) incensed that those who should have been in the know made money on the trades, days before the lives of 143 million Americans were turned upside down.
“What is perhaps most disturbing to me is how three top Equifax officials – including the CFO of the company – could cash out stock immediately before this kind of announcement and then claim ignorance as a defense for doing so,” said Dallas N. Bishoff director of security services at Stratiform. “If this is what passes as acceptable management, at a leading U.S. company handling the most sensitive information about 100 plus million Americans, then we are going to see many more breaches like this in years to come.”
The cherry on top was the discovery of a forced arbitration clause that seemingly indicated consumers had forfeited their right to join a class action lawsuit against Equifax in order to receive credit protection. Consumer advocates immediately raised a battle cry. New York Attorney General Eric Schneiderman called the clause “unacceptable and unenforceable.”
The company today has removed that language from their website and says the forced arbitration requirement would not apply to those impacted by the breach, but rather only to the free credit file monitoring and identity theft protection products they offer. And the lawyers are already announcing suits.
The company released a statement in which Equifax chairman and CEO Richard Smith gave perhaps the most inane public relations blurb of all time.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," he in the statement. "We pride ourselves on being a leader in managing and protecting data."
What you can do
Unfortunately, there’s not just a whole lot consumers can do to mitigate the damage. Equifax created a website to help consumers figure out if they’re one of the 143 million whose data is at risk, though many report the website being down or getting inaccurate or inconsistent information. Perhaps the most nerve-wracking thing about that system is that you have to submit your last name and six digits of your Social Security Number, to the very company who is responsible for not safeguarding that data in the first place.
Stu Sjouwerman, founder and CEO of KnowBe4, has some tips on what to watch out for as bad actors begin to inevitably use sensitive data to launch social engineering attacks.
- Phishing emails that claim to be from Equifax where you can check if your data was compromised
- Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
- Calls from scammers that claim they are from your bank or credit union
- Fraudulent charges on any credit card because your identity was stolen
Sign up for freecreditreport.com or another credit monitoring company and monitor it closely. Equifax is offering one free year of this service, but many consumers are justifiably skeptical of using it. If a bad actor does get ahold of your information, one of the most common next steps is to apply for accounts in your name, so in addition to watching your credit score like a hawk, it’s not a bad idea to also freeze your credit files at all three major credit bureaus: Equifax, Experian and TransUnion. Just remember that freezing your credit means you, too, can’t apply for new accounts.