Blog: Questions That Need Answering about the Equifax Breach
The stage is set for the largest shareholder class action suit in U.S. history. Equifax disclosed on September 7 that the records of 143 million people, about 44% of the 325 million in the U.S., have been breached. Subtracting 75 million people under the age of 18, a remarkable 57% of U.S. adults’ credit records were exposed. With 143 million breach victims spread over about 116 million households, it is possible that every household in the country was exposed.
What do we need to know about this breach, and what actions should we take? This latest event raises at least eight significant questions:
1. Was Equifax the victim of criminal masterminds who found a weakness in the company’s otherwise impenetrable cybersecurity infrastructure?
The bad guys were given access to the data through a simple website application vulnerability caused by poor design, poor testing, negligence, or a combination. Although the investigation isn’t complete, the root cause is almost certainly inadequately defined and executed policies and processes that resulted in the creation of a door that any garden-variety cybercriminal could open.
2. Is this the first time a credit bureau has had a breach?
Cyber expert Brian Krebs was quoted saying “that fraudsters had taken advantage [in May] of ‘lax security’ in Equifax’s payroll-services division. In 2015, a breach at [Equifax competitor] Experian put 15 million consumers’ personal data at risk, and Experian also allowed an identity-theft scammer to trick the firm into letting cybercriminals view personal and financial data from more than 200 million Americans… ‘The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.’”
3. After earlier known breaches, why didn’t Equifax take strong measures to protect its customers from cybertheft?
Erik Sherman asked in CBS Moneywatch, “So why don't corporations plug the gaps, improve their practices and safeguard sensitive consumer data? After all, these measures would prevent potential financial loss and identity theft. The answer: The losses involved are so small compared to the revenue that it's easier to take a chance and write off any losses should they occur. In other words, worrying about data breaches isn't worth it to them.” The company’s post-breach statement said that “Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again." Why didn’t that happen before? Or, if it did, why didn’t processes in place prevent what happened?
4. How well did Equifax respond after discovering the breach?
Not well at all.
Even though other credit bureau breaches have occurred, Equifax management seems not to have taken the possibility of future threats seriously. They kept this one under wraps for several months after its discovery, thereby exposing unsuspecting consumers to substantial financial risk. Several executives divested stock after discovering the breach and before disclosing it, while best practice dictates an immediate freeze on insider sales for a time, thereby protecting the company’s reputation and avoiding the appearance of impropriety; a resulting SEC and FTC investigation is likely, now that 36 U.S. senators have called on federal authorities to look into the sale of $1.8 million in stock. And finally, customers who sign up for free credit monitoring that Equifax is offering are seemingly required to promise not to sue the company for future losses, which casts doubt on Equifax’s motives.
5. How will consumers be affected?
It may well erode consumer confidence.
A report recently issued by the National Infrastructure Advisory Commission described the country’s current cyber risk situation as “pre-9/11.” Continued increases in frequency and severity of cyberattacks on the financial infrastructure may cause erosion of consumer confidence in the U.S. economy that could lead to panic and alarm. Consumers are currently in the position of having the credit bureaus decide what level of precautions they should take in protecting consumer data, and breaches like this most recent one will jar their faith in financial institutions.
6. How will Equifax be affected by this breach?
Changes could be dramatic.
Equifax is in a precarious position. The cost of remediating the breach alone could add up to hundreds of millions of dollars. The NY Attorney General has launched a formal investigation into the breach, and he has said Equifax’s stipulation that consumers taking advantage of free monitoring can’t subsequently sue Equifax will not hold up in court. Consumers Union, publisher of Consumer Reports, immediately began circulating a petition to hold Equifax accountable that portends a groundswell supporting legislation to require companies to comply with national cyber standards. The company’s market valuation could easily drop by 20% or more, a loss of $2.5 billion, and if that’s the case, stockholder suits are a certainty.
7. What peripheral damage will other companies experience?
Adding to Equifax’s concerns are potential suits brought by companies that experience peripheral damage from the breach. Banks and credit unions that bear the cost of fraudulent accounts enabled by Equifax’s negligence may litigate to recover damages. Significant impact on credit markets could result in further lawsuits, not to mention potential actions taken by FICO and Equifax’s sister credit bureaus, Experian and TransUnion.
8. Are there constructive steps that would increase the nation’s cyber resilience?
Require widespread compliance with national cybersecurity standards. The vast majority of breaches derive from policy and process failures, not ineffective technologies. The NIST Cybersecurity Framework is based on input from over 3000 expert contributors and is widely recognized as the national standard for assessing and managing cyber risk. A recent executive order mandates use of the Framework by all federal agencies, and extending use to include medium and large commercial enterprises and nonprofits would increase national cyber resilience.
Leverage the SAFETY Act wherever possible. This little-known law was developed after World War II and extended in 2002 after 9/11. Companies that offer products and services that defend the nation from external attacks are given immunity from liability. First applied to aircraft, the 2002 update extended coverage for users of DHS-vetted products and services that protect the U.S. from cyberterrorism. Using these products and services would ensure that the most effective solutions become widely deployed.
Posted by Mike Shultz on Sep 14, 2017