On September 7th, Equifax announced they were hacked. Cybercriminals accessed the personal information of 143 million Americans. Equifax later announced that 100,000 Canadians have been affected as well. The hackers demanded 600 bitcoin from Equifax and threatened to leak the information if the ransom was not paid. The Equifax data breach has lead to millions of people wondering whether their data is safe or not.
The Equifax data breach has affected a lot of people but it isn’t the largest data breach to occur. The largest data breach belongs to Yahoo, which affected 1 billion accounts (view this infographic to see how the Equifax data breach compares in size to other large data breaches).
The breach has more to do with the type of data that was stolen rather than the amount of data that was stolen. Cybercriminals were able to access social security numbers, credit card numbers, names, addresses, DOBs and driver’s licence numbers. All of this information can be used to steal someone’s identity and fraudulently open credit under someone else’s name.
The nature of this information could have also revealed security question answers that authenticate a user’s identity on websites. The hackers have enough information to obtain access to people’s online accounts through social engineering. The outcome of this hack has put the most sensitive and personal data in the hands of cybercriminals.
Not only did customers have their most sensitive data compromised, but they didn’t know about it until 6 weeks later. The Equifax data breach occurred between mid-May and July. Equifax became aware of the breach on July 29th and did not publicly announce the breach until September 7th.
According to an article on Vox, the laws regulating data privacy are set by the state and each state sets different laws. Equifax is based in Georgia which doesn’t enforce a timeline of when customers should be notified of a breach. Although there is no law enforcement around this issue, Equifax made the situation worse by delaying their announcement for so long.
Customers’ data had been compromised without their ability to take action to protect their information and monitor their accounts. Without the knowledge that their data had been hacked, customers were unable to protect themselves during those six weeks.
Equifax is directing customers to a dedicated website that is supposed to tell them whether their information has been compromised or not. The company is receiving backlash over the site as users are experiencing several issues with it.
The website requires users to enter their last name and last six digits of their social security number so they can determine whether their information is affected or not. Several people are upset with the system that is in place as they don’t feel comfortable providing the company with even more information in order to find out if they have been affected.
In addition to this, there have been other issues with the website. According to this tweet, the captchas aren’t working properly on the site. Lastly, people aren’t getting a clear response as to whether they have been affected or not. The responses from the website are very inconsistent. Some users claim they didn’t receive a message at all, leaving them to question the validity of the website.
There are also several phishing scams pretending to be Equifax reaching out to consumers about whether they have been affected or not. There have been reports of emails and calls asking for personal information such as credit card numbers and other financial information. Equifax has stated that people will be notified by mail but the hack has opened up opportunities for people to fall vulnerable to scams.
The hackers exploited a vulnerability in the Apache Struts web-application software. Companies using this software were made aware of the vulnerability in March and were provided with clear directions on how to patch it. Equifax failed to update the software and two months later hackers were able to access to their database. While the information in the database was encrypted, the hackers had access to the encryption keys on the same server that was vulnerable. While some data breaches can be out of one’s control, Equifax failed to responsibly implement security defences.
Three executive managers sold a combined $1.8 million worth of shares on August 1st and 2nd. This is a few days after the company became aware of the hack on July 29th but before the Equifax data breach was publicly announced. The company responded to criticism by stating the executive managers were not aware of the data breach when the shares were sold. However, the executives are now being investigated for insider trading.
While this doesn’t make the data breach any worse for those affected, it has made people question the merit of the company altogether. If the executives were irresponsible enough to potentially commit insider trading than the company was probably irresponsible in other ways as well. Particularly with the way they handled their consumer data.
Equifax is offering affected customers a year of free credit monitoring service. Customers are sent a notification to sign up for this service when they check to see if their data has been compromised. Many people are suggesting that the situation is being wrongly used as a marketing tactic.
Most experts are advising against signing up for the free credit monitoring. It is better to take other precautions because one year of credit monitoring isn’t enough to protect yourself against the severity of the leak.
In conclusion, Equifax did not responsibly protect the personal data of their customers. Once the breach occurred they put their customers further at risk by failing to notify them immediately. Their strategy to try and help affected customers is flawed. Instead of offering professional advice on how affected customers can protect themselves, they used it as a way to get people to sign up for their services.
Companies with sensitive data need to be better prepared with security defences to prevent a data breach from happening. Even small and medium-sized businesses are not immune to something like the Equifax data breach. Hackers target the most valuable type of data and not necessarily the largest amount of data. Credit card numbers, social security numbers and anything else that can help steal someone’s identity is valuable information for hackers to obtain.
Protect your business and your customer data. Contact Keystone Technologies to learn how you can secure your data.