Equifax: A lesson in how not to handle a major data breach


Equifax has become the latest company to fall foul of hackers, as a major data breach sends 143 million customers’ personal information into the cyber ether. Richard Parris, CEO and Chairman of Intercede, explores the latest in a string of cyberattacks against high profile companies and how, in this particular case, the reaction from Equifax has been sorely lacking and the consequences severe and far-reaching 

The world looked on in dismay when Richard Smith, Chief Executive of Equifax, commented that the data breach against his company was ‘disappointing.’ Smith clearly didn’t grasp (or want to grasp) the enormity and severity of the issue when speaking to media and customers about the fallout of potentially one of the biggest – if not the biggest – cybersecurity incident of recent times.   

We need to talk about Equifax 

On Friday 7th September Equifax, one of America’s ‘big three’ credit bureaus, announced it had suffered a data breach. 143 million customers (approximately half of the population of the United States) had records stolen; first and second names, social security numbers and in some cases, credit card details. The twist in this story is that, according to Equifax, the hole hackers wormed their way through wasn’t down to human error, or poor password management, but a vulnerability in Apache Struts; free, open-source software used to create Java applications. Once that software had been breached, the cyber criminals  - whoever they are – were then able to access credentials (PINs, usernames and passwords) to grant themselves access to customer records. As a result, customers have been left exposed to potential identity theft, as hackers built up profiles of information based on the pieces of information leaked.   

The so-called bastions of customer data 

So Mr .Smith, this incident is a little more than disappointing, don’t you think? Over the years we have seen hack after hack against a variety of different companies, but what Equifax’s recent downfall shouts to us is that organisations are still not taking security seriously enough. Companies like Equifax are supposed to be the bastions of customer data. Yet, this recent breach demonstrates, beyond reasonable doubt, that businesses are still neglecting customer’s data. Whether it’s passwords being hacked or vulnerabilities in software being exploited, the end result is still chaos for all and consumers unfortunately left in the dark about how it has or could impact them.   

A bandage for a bullet hole  

The Equifax ordeal was a textbook example of how not to handle a crisis of this nature.  From what Equifax has told the public, we understand the breach happened sometime between mid-May and July this year, due to a vulnerability on its website. However, the breach hasn’t been brought to light until now. Why the long delay? While the vulnerability has now been patched, the damage has already been done.   

Unfortunately, Equifax’s remedial action was too little, too late; a bandage for a bullet hole; an avoidable situation. Communication with customers has been far from prompt and transparent. Had this incident happened under the GDPR legislation due to take hold in May 2018, there would have been much harsher (and deserved) consequences for the incident happening in the first place, and the time it took for the company to respond overall.   

Passwords are risky business 

Another point that that needs to be addressed is the fact Equifax is still allowing customers to manage their accounts through passwords and PINs. Earlier this year CEX, one of Britain's largest retail franchises, disclosed it had been hit by a data breach compromising the information of as many as two million customers. In response, CEX predictably uttered the words that most companies do in response to a cyberattack – “change your passwords.” 

It’s no longer acceptable to put customers at risk, advising them to ‘change or use complex passwords’ when passwords are the root cause of the majority of data breaches today; they are inherently insecure and easily hacked. In fact, we recently conducted some research into how systems administrators – individuals that hold the keys to an organisation’s kingdom – are protecting business accounts and, in turn, customer data, within major enterprises.  The results weren’t too encouraging: 86% of systems administrators are still using basic password authentication to protect data. What’s more, 50% of respondents admitted that business user accounts in their organisations were ‘not very secure.’ Based on these figures, it is near impossible for us to trust those we give our information to. Businesses may as well leave the metaphorical door open and welcome hackers in with a smile. 

Better alternatives for a securer future 

There’s really no excuse for companies to put our data at risk. Businesses have been warned that current security methods are no longer enough to fend off cyber criminals and it’s us – the general public – that are left to wonder who has access to our data and which of our online accounts could be compromised next. If service providers insist on using usernames and passwords and there is no alternative, then consumers can increase their own security in a couple of ways. These include making sure to not reuse the same password over multiple services. Staying away from passwords that are an amalgamation of personal information (dates of birth, names, places etc.) will also make it much harder for cybercriminals to breach your credentials. When registering for a new account or service, consumers shouldn’t feel obliged to give away ‘optional’ information. Stick to the mandatory fields only. 

Ultimately, we need a mentality shift and a change in approach. The right security methods are out there; they are more robust, cost-effective and easy to implement. Strong authentication incorporates three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, an iris scan). This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect. This ‘digital trust’ (knowing a customer is who they say they are) is essential for consumers to continue to transact with businesses in today’s digital economy.  

Flying in the face of GDPR 

Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears. Businesses will have no choice but to sit up and listen as GDPR comes into effect next year, but it’s reproachable to see businesses continuing to play fast and loose with our personal information until something bad happens to them. We need to see companies acting, not reacting. They need to take the mantle, educate staff and implement the strongest defences and measures. Not only will this help customers regain company trust, it will save corporate reputations and make the hacker’s job that much harder. Failure to do so will see businesses facing a lot more backlash than Equifax did – to the detriment of their bottom lines and reputation.   

Richard Parris, CEO and Chairman of Intercede 

Image Credit: Balefire / Shutterstock