After what is actually latest in a long series of data breaches at the company, credit reporting firm Equifax said that it will do a better job of protecting the personal and financial data of millions of consumers in the U.S. and abroad.
Equifax made this promise in a Sept. 7 announcement about the July 29 data breach that exposed the data of 143 million consumers in the US.
So far Equifax hasn’t provided much information about the breach beyond saying it’s due to an application vulnerability. However, even that tiny bit of information, coupled with the company’s reported history of lax security and an apparent failure to apply patches and updates in a timely manner tells a troubling story.
Adding to the seeming lack of concern for critical personal data that is entrusted to Equifax comes word that before the breach was announced in September, three senior executives reportedly took advantage of their knowledge of the breach by selling massive amounts of the company stock.
Equifax’s apparent failure in its duty protect customer data by keeping its computer systems secure has already resulted in multiple legal actions and at least one class lawsuit. That, along with the behavior of its executives suggests that company leadership was looking out for its own interests rather than the interests of customers or consumers.
The July data breach is hardly the first one reported by the company. In fact, it’s not even the first one in 2017. A number of security researchers have found repeated vulnerabilities on Equifax sites, some of which used software that was over a decade old.
In another case, Equifax was sued by employees of national retailing chain Kroger after the company lost control of nearly a half-million names, addresses and social security numbers. In that case, Equifax was ordered by the court in that case to fix its security vulnerabilities, but apparently failed to do so.
Fortunately for businesses, Equifax only lost control of consumer information. The company doesn’t track business credit histories. Another company, Dun and Bradstreet, handles business credit records. But the Equifax breach will still affect you.
The most obvious impact will come when you extend credit to customers. After such a large breach, it’s possible that anyone you do business with could be an imposter using stolen credit credentials. This won’t affect you if you’re dealing with a credit card transaction, but it could if you extend credit for some other reason. At least for large purchases, such as a vehicle, you will need to consider additional methods of confirming the identity for those customers.
In addition, you will have to find ways to confirm the identity of people when you’re using their credit for other reasons such as employment. Those ways could include taking a look at the customer’s other identification such as a government ID or a passport. The extra step may be annoying and time consuming, but it will be necessary to protect your business.
The first step for consumers is to check the special Equifax web page to check if their personal information was exposed in the breach. If so they will have to watch their personal credit ratings to make sure that criminals aren’t creating fraudulent credit accounts with their stolen identities.
It would be wise for these consumers and perhaps anyone who has had dealings with Equifax to contact all major credit-monitoring services to ask that they watch for attempts to create new credit accounts—especially in locations far distant from their current residences.
Something that should be equally obvious is that businesses need to diligently apply patches and updates to operating system software and applications, especially public-facing web applications. Failure to do so in an environment where the business is responsible for protecting sensitive information is an invitation to be breached. There’s simply no reason to skip such a step.
There was a time when software patches were uncertain and updates were sometimes unreliable, but those days are long gone. Now, the need to wait until you’re certain that an update won’t break critical applications is unnecessary in most cases. In those cases where it is, it’s time to start paying for updates for those applications or find a new solution.
The reason is that the price for failure to update is so high it can cost you your company, or at the very least it can cost millions of dollars in lawsuits and more millions in reduced valuation. Failure to implement timely updates should be something that your board will demand accountability for. But worse than that, it will be something that your customers will demand to hold you accountable for.
Equifax has already sustained a sharp drop in its stock valuation and it’s possible that at least three of its executives will face charges for violating securities regulations for selling stock before the company publicly disclosed the breach. The company is also going to have to provide free credit monitoring for everyone in the United States.
Worse, Equifax already has one class-action suit that’s been filed in Oregon, more are certain to be filed and the company stands to lose millions. Adding to the problems that Equifax is facing is the company’s poor record of managing its own security. A series of breaches stretching back years demonstrates that the company does not take security seriously. Furthermore the actions of some of its executives will lend credence to the belief that all that really to Equifax management is personal enrichment.
Considering that Equifax has presented itself as a trusted service for private consumer data only makes it worse. “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Equifax CEO Richard F. Smith in the breach announcement. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” he stated in the announcement.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” Smith said. “Confronting cyber-security risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
This is a positive sign, but in reality, considering the series of breaches that Equifax has experienced over the year, one must ask why didn’t Equifax take the danger of cyber-attacks seriously before the personal information of 143 million people was breached?