What can we learn from the March 2017 Equifax data breach?

6 Feb

The Equifax data breach of March 2017 was one of the most publicized cybersecurity incidents in recent years. Millions of people had their confidential information stolen, increasing the risk of identity fraud and even financial loss.

Learning from this event is paramount for cybersecurity experts and business leaders, especially with the ever-evolving nature of threats in the digital landscape. What lessons can directors, board members, and cyber security departments take away from the 2017 data breach?

Timeline and aftermath of the data breach

The Equifax data breach was a large cybersecurity incident that compromised the sensitive personal information of millions of individuals. The breach affected approximately 143 million Americans, 15 million Britons, and 19,000 Canadians. It is one of the largest and most far-reaching breaches in history. The stolen data included names, Social Security numbers, addresses, and, in some cases, driver’s license numbers.

The breach began as early as March 10 of that year, but Equifax only discovered the incident on July 29, 2017–76 days later. However, they didn’t disclose information about the breach until September 7, 2017. Equifax faced lawsuits and settlement claims because of the event. They also began offering new free services as part of their reparatory measures.

In 2020, the FBI charged several Chinese military hackers for their role in the cybercrime incident. As of writing, there hasn’t been any evidence that China has used the data stolen from Equifax.

It’s also the case what whilst Equifax’s controls may not have been perfect, it was a control posture lots of large companies would have recognised. A lot of CISOs - me included - said ‘that could have been us’.

The cause of the data breach

The breach started with a vulnerability in the Apache Struts web application framework. Equifax had failed to update its Struts software, leaving a known security flaw open to unknown elements. Hackers took advantage of this vulnerability to gain unauthorized access to Equifax’s systems.

The hackers used various methods to exploit the vulnerability and gain access to the sensitive data. They were able to use SQL injection and disguised themselves as authorized users. Using these techniques, they were able to scan databases and extract information without detection.

Temporary fixes and mitigation measures: How the company and the board handled the crisis

One of the most significant criticisms levelled at Equifax was the delayed announcement of the breach to the public. In between the discovery and disclosure, hackers had plenty of opportunity to exploit the stolen data. This delayed response left millions of individuals vulnerable to identity theft and financial fraud.

In the aftermath of the breach, Equifax underwent significant changes in its leadership and governance structure. New executives were appointed to lead the company’s cybersecurity efforts. They also set new policies, improved systems monitoring, and offered compensatory services to mitigate the damage their brand faced.

Questions were raised over executive behaviour in the aftermath of the breach, resulting in a claim of insider trading - selling stock based on the knowledge of the breach, that was not then public.

The then-new CEO, Paulino do Rego Barros, Jr., announced the new service that gave “consumers the option of controlling access to their personal credit data.” This free service still exists today. In addition, the company extended the deadline for free credit freeze and promised to hire more customer support agents.

Data breach impact

Equifax faced large fees, litigation, and loss of customer trust after the 2017 data breach. In 2019, they had to pay at least $575 million as part of a global settlement. They also had to pay up to $20,000 in reimbursement for the customers who had to undergo various processes to identify fraud and secure their information.

Equifax also suffered a downgrade in its credit rating thanks to the breach. However, the most significant impact is on customer trust and confidence, which is much harder to quantify. Still, the company was able to rise from the scandal, reaching $5.12 billion in revenues in 2022.

What controls or measures can you implement to avoid this scenario in your organisation?

The 2017 data breach is a reminder for board members, directors, and C-suite employees about the importance of protecting customer data. The event also highlighted the necessity of keeping software updated to remove vulnerabilities.

Regular software updates protect against security issues: Updates and patches to programs help keep hackers out by fixing vulnerabilities. Cybersecurity departments must have a system in place to learn about upcoming updates and a protocol for implementation. Don’t let one system be an exception.
Robust processes for handling data leaks: One of the biggest criticisms against Equifax was the less than organized methods they used to address the data breach. A company needs to have a game plan ready to identify, mitigate, and communicate data leaks.
Strengthening protection for customer data: Implementing better access control, using strong encryption for data both in transit and at rest, and robust data retention policies all help create a strong system for protecting customer information.
Executive credibility and communications: Equifax’s CEO was grilled publicly by a senate oversight committee, and their CISO was challenged for not having an appropriate professional background. Claims of insider trading harmed board credibility at a critical time. Consider up front how things will play out, and perhaps get crisis communications support on retainer should you need it.

How is your company protecting customer data?

The world creates 2.5 quintillion bytes of data each day, and many companies process big amounts of data now more than ever. One unmanaged vulnerability in one unmanaged system is all it took. Having robust protection helps you avoid what happened at Equifax.