Last night we learned that Equifax, one of the three main consumer credit reporting agencies, suffered a data breach that has the potential to expose confidential information of nearly 50 percent of the American population.
This cyber security breach was discovered on July 29th and appears to stem from hackers exploiting vulnerabilities in Equifax’s website software.
Why it matters
The Equifax breach is different from prior breaches due to the sensitivity of the information exposed. Names, addresses, DOBs and Social Security Numbers are the four main pieces of information necessary to set up credit card accounts, take out loans and create new bank accounts. These four pieces of information are all available in one place, Equifax.
Making matters worse, Equifax also offers credit monitoring services to its customers. This sets up potential a scenario where hackers access confidential information through Equifax, set up phony accounts, then manipulate credit card monitoring to make it appear as if there is no fraudulent activity at all. If a hacker controls the credit monitoring how would you know if there is fraud on your account?
At this point you may be wondering: “How could things get worse?” Easy, sprinkle in some insider trading.
Three Equifax executives sold nearly $2 Million worth of stock just days after Equifax discovered the breach. Executives typically set up 10b5-1 plans to schedule planned stock sales and avoid accusations of insider trading. According to SEC filings, none of these sales were planned in advance.
Burrowing deeper into its already sizable crater, Equifax publicly announced that the executives (one of them being the CFO) had no knowledge of the breach when they sold their shares. How could the CFO of Equifax not know about a potentially catastrophic data breach that was discovered and acknowledged days earlier?
Considering that one of its sources of revenue is tied directly to data breach response, you would think that Equifax would include a robust Cyber Incident Response Plan as part of their cyber security strategy. One that would set its customers minds at ease and show regulators that it takes this event seriously. Although its still early, the Equifax response has basically been a joke.
It took 5 weeks to announce the data breach to consumers, a period of time which would have violated Europe’s new breach disclosure regulations. The website Equifax set up for customers, to determine whether or not their information was compromised, asks for the last 6 (!!!) digits of their Social Security Number, then politely informs you that you will be eligible for ID protection in two weeks.
Finally, the Equifax response website itself is so poorly secured that certain systems have been blocking access to it, labeling the breach recovery site as a phishing threat.
The Equifax Data Breach Debacle of 2017 is a clear case of why it is so important for organization’s cyber security plan to include a comprehensive Cyber Incident Response Program. A robust CIRP enables your organization to rapidly contain damages, deploy response resources, and ultimately limit financial and reputational damage in the wake of a data breach.