On September 7, 2017, credit agency Equifax made a stunning announcement. They had suffered a massive data breach aimed to affect 143 million consumers.
Equifax is one of the three largest credit agencies in the United States. Their databases contained full names, Social Security numbers, driver’s license numbers, mailing addresses, birth dates, and credit card numbers. All manner of personal information was now available to the hackers. And then, things became worse.
The loss of their consumer’s sensitive information was bad enough for Equifax’s reputation. But, the details showed a situation that was far more infuriating. Equifax had learned of the breach on July 29th. It took the company more than five weeks to disclose the data loss to the public. In those five weeks, three Equifax managers sold close to $1.8 million worth of stock in the company. Sure, Equifax was working with the FBI and Mandiant to identify the attackers. But it wasn’t enough. Their poor security and misleading secrecy had done severe damage. The only ones Equifax could blame was themselves.
Bonus: on September 13th, Equifax faced accusations of more poor security practices. Their Argentina branch suffered exposure due to a terrible password.
Equifax launched a WordPress-powered website to help those consumers affected by the breach. This site asked their visitors to share six digits of their social security numbers. This was not the best idea on a stock installation WordPress site. It’s not news that WordPress has also fallen victim to many serious security exploits. This new site did not offer the kind of enterprise-level security needed. Equifax also failed to get proper consent for gathering and sharing sensitive information. This act was not compliant with GDPR regulations in the EU. Had no one learned their lesson?
How the Attack Happened
Equifax continued to hide critical details from the public. The number of those affected would only continue to grow as time went on. New information came out, stating that even more personal customer data had been loss. This was unbelievable. Why have this information in the first place? And how could anyone fail to protect it?
With regards to how the breach happened, it’s hard to know the truth. The company’s conduct reveals them as untrustworthy. Yet, they are our primary source of information. It’s unclear whether their site was up to date on the latest security patches. What is clear is that the company’s web applications offered very broad access to data. ‘Very’ is an understatement. Excessive access to personal identification would be more accurate.
This narrative is not a new one. Major corporations suffering large data breaches pop up in the news daily. It’s unfortunate that this continues to happen. Especially to companies that store sensitive data. Why does security continue to be lax? Unfortunately, many organizations focus on growth and business goals first. Information security is often an afterthought. While growing one’s business is vital to survival, so too is the trust of the consumer.
How It Could Have Been Prevented
September 2017 feels like a lifetime ago. Yet, almost a year later, consequences are still being born out for Equifax. There are many lessons to learn here. Ensuring application and cyber security are essential to our hyper-connected world. A thorough penetration test or code review could have found the security risk early on. Introducing powerful automation into the company’s security testing would have also helped. They would have been able to identify the risk long before it became a serious problem.
Every one of these measures is part of a sophisticated SecDevOps approach. More companies need to integrate security thinking and best practices into web development. Cyber security requires time and investment. It is worth it to provide customers with the safety they expect. Develop a brand that can earn trust. A stronghold that can protect everyone in and outside the company will reap countless benefits. Organizations must value cyber security. Until then, significant data breaches will continue to occur.