Why The Equifax Breach Should Be Doing More Than Scaring Us

Posted on by Tony Kontzer

Do we need look any further than the recent Equifax breach for compelling evidence of what a cyber security incident can do to a business?

A couple of weeks ago, Equifax was just one of three credit reporting agencies Americans knew housed their financial data. Today? It is being held up as an example of the risks of housing valuable data.

We've all seen the eye-popping number over and over again: confidential information on as many as 143 million Americans was compromised in a breach Equifax discovered on July 29, and that was apparently occurring for more than two months. Allowing a breach of this size and severity doesn't go unpunished, and the company has faced swift and varied consequences.

Equifax's reputation has taken a beating, with consumers losing confidence in it, the New York Times all but calling for its virtual head, and investors following suit, shaving billions off of the company's market capitalization.

Even Equifax's own chairman and CEO, Richard F. Smith, sounded like his confidence had been shaken.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Smith said in the press release disclosing the breach. "I apologize to consumers and our business customers for the concern and frustration this causes."

When the CEO expresses that kind of disappointment, it's only a matter of time before there are leadership changes, and a week later Equifax announced that its CIO (David Webb) and CSO (Susan Mauldin) were "retiring," without identifying either departing executive by name.

What's really sad about the story—beyond than the fact that half of all Americans have been scrambling to protect themselves from identify theft ever since the breach was disclosed—is that, as is the case so often in major breaches, it could have been avoided so easily.

Hackers exploited a vulnerability in ApacheStrut, an open-source software tool Equifax used to build web sites. The software bug in question had been publicly identified in March, and a patch to fix it had been available since then. Equifax has said that it tried to patch the bug two months before it discovered the breach, but that it has not deduced why the patch was unsuccessful, and that it promises to share its findings as it continues its investigation of the incident.

The real question that this breach raises is this: Why didn't this happen sooner? It certainly could have. In a cyber crime market that showers financial gains on hackers that can make off with valuable personally identifiable data, Equifax and its rival credit bureaus, Experian and Trans Union, each represent a Holy Grail of data.

And this isn't the first time Equifax found itself in the cross hairs of a hacking operation. Just last year, critical W-2 tax and salary data was stolen from an Equifax web site, and earlier this year, more W-2 tax data was stolen from TALX, an Equifax subsidiary. That these smaller attacks occurred makes the company's ineffectiveness in adequately protecting its treasure trove of data all the more perplexing.

Adding to the company's woes was that fact that even its efforts to make things right were being undermined by technical difficulties. The company set up a web site to disseminate information on the breach, and to let consumers find out if their records were affected, but that engine proved unreliable, with consumers getting different answers at different times. (I checked my status twice — once it told me it appeared I had not been affected, and the other time it said I probably had been.)

It's clear the company is now taking steps to address the situation decisively. In addition to jettisoning its CIO and CSO, Equifax has offered all of its customers free credit protection services, and is also enabling customers to freeze their Equifax credit reports, thereby making it impossible to open new accounts without "thawing" that freeze.

Equifax said that when it first discovered the breach, it immediately reported the incident to law enforcement and hired a cyber security firm to conduct a review and determine the scale of the invasion. That investigation is expected to wrap up soon.

But regardless of what it discovers, and what new security measures it puts in place, the damage is done. Equifax will find itself temporarily in the shadows of its rival credit reporting bureaus as it scrambles to repair its reputation.

Consumers will start asking creditors which bureau they rely on, and when the answer is "Equifax," the creditors will get an earful. There will likely be calls for more diligent government oversight of all three bureaus, but Equifax in particular, and the company's stock will continue to take a beating. And all of this will continue until Equifax can demonstrate that its security is up to snuff and the furor dies down.

Which leads us to the important takeaway from this incident: We cannot return to business as usual. This breach is a wake-up call. It's time for us to stop sitting around waiting for a truly catastrophic breach to bring the country to a halt. We can't wait for the power grid to be held hostage or to wake up and find that all of our bank accounts have been emptied overnight.

It's time for us to acknowledge that breaches are inevitable, and that just throwing up the latest protection schemes and hoping for the best is not enough. More than anything, it's time for us to sit up and take ownership of our data, whether it's ours or it has been entrusted to us.

Data is the new currency, and we better protect it like we would a big pile of money. If we don't, the next big breach could be more than a scare. 

Tony Kontzer

, RSA Conference

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community