Thursday September 7th, 2017 was a big day in the world of cyber security. Equifax Inc, a credit reporting agency in the United States which is considered to be one of the three largest American credit agencies was compromised by a cyber attack. This “Equifax data breach 2017” will go down as a historical event. Here’s why, and what it means for you.
Why is this case really bad?
There have been many data breach cases documented in the past 5 years. However, most of those cases involved theft of credit card data or emails and phone numbers. That’s inconvenient, but it’s still manageable for consumers to overcome the implications. Contact your bank. Report your data stolen and request a new credit card. Change your passwords online.
The Equifax breach is a more serious matter. Since Equifax is a credit reporting agency dealing with individuals, businesses, and government, they have much more sensitive data. When Equifax put out a statement about the breach, they informed consumers that the following data points had been compromised:
- Full Names
- Social Security Numbers
- Drivers License Numbers
- Credit Card Numbers
If you thought to yourself, “That’s most of the information I need to open a bank account!” Then you understand why this data breach is more serious than others in recent history. In this instance, we are dealing with potential identity theft. How many people are affected by this breach? 143,000,000 U.S. consumers.
Reactive behavior doesn’t save companies
Like any S&P 500 would do, Equifax has executed a number of activities to make customers feel better (and to save the company). The first move was to set up this website for all customers to find up-to-date answers to common questions regarding the issue. As a part of this effort, Equifax has offered to enroll all participating customers in an identity theft protection program for free. But it’s Equifax’s own in-house identity protection program… and it’s only free for one year. First of all, why would anyone trust them to keep data protected after this breach? Second, who pays for the service after a year has expired? Most likely the customer will foot the bill after the initial year. With millions of records stolen, it might be 5 or 10 years before the cyber criminals get around to using your data. So just one year of protection services doesn’t solve the problem. This appears to be an attempt by Equifax to generate new business opportunities from the data breach.
To make matters worse, included in the terms of service that users must agree to in order to sign up for the proposed identity protection services, there is a clause that makes signees ineligible for any future class action suits against Equifax. They did come out later and make a statement that this clause doesn’t apply to this particular cyber security breach. But that doesn’t make us feel very warm and fuzzy.
Let’s wade deeper into the mire. If Equifax Data Breach 2017 wasn’t bad enough already, Bloomberg put out a report showing that certain top executives of Equifax-owned companies sold off large shares of stock just days after they discovered the breach internally. This could now turn into an insider trading scandal. For those interested, you can read more about all the messy internal errors here.
What is the biggest lesson here?
As IT experts have echoed again and again, we must strive to be proactive instead of reactive. Equifax Data Breach 2017 has affected millions of people. Billions of dollars are at stake. And now, there’s not much anyone can do but patch up a sinking ship. Equifax may still float for the next 100 years, but it will never float the same.
How can companies be proactive in preventing cyber breaches?
Cyber security is one part technology and one part human excellence. Companies should definitely be using the best cyber security software and technology that they can afford. Cutting corners on technology is extremely risky and a big mistake. It’s no longer acceptable to only have an external firewall.
The most important part of cyber security, and also the most overlooked, is human performance.
Someday we may rename IT from information technology to ITP, information technology and processes. The process behind executing flawless IT is what enables true safety of information. Software is designed to function like a machine, it’s the user input that causes most failure. Bad passwords. Downloading files with malicious code.
Through DevSecOps, most developers have found a way to make their code secure. What about the people using IT? Are users aware of how their own practices might be the root cause of a future data breach? At Advanticom, we believe strongly in creating an environment that is secure from 360 degrees (that’s why we’ve taken the step to be Pittsburgh’s only ISO 27001 certified IT firm). How are you doing with your own cyber security practices?
Here are a few questions to ask about your company:
- Am I using the best technology to defend against cyber attacks?
- Are my people trained to prevent human error that could cause a cyber breach?
- Do my employees follow an information security policy?
- How often do we test our employees on the latest best practices?
- Is there someone in my company who is monitoring the latest trends in cyber security?
- Does my executive team understand the reality of the cyber war?
- When was the last time my company had a cyber security audit?
Equifax Data Breach 2017 – Next steps for companies of any size
If you are reading this and your company is based in Western PA, pick up the phone and get in touch with Advanticom for a cyber security assessment. If you are from some other part of the world, find your nearest cyber security team. (Make sure they have an ISO certification or similar qualification to know that they take cyber security seriously!) Better to be safe than to be sorry. In the case of Equifax, there are nearly 140,000,000 “sorry’s” that could have been avoided. Don’t become another Equifax Data Breach 2017.
Please leave your comments in the section below. We would love to hear from you! What’s your opinion on the Equifax breach?