Equifax Data Breach 2017
Equifax: Top 3 U.S. credit bureau, 800M+ global data, breach hit 147M, mainly U.S. individuals.
The Breach
In September 2017, Equifax announced that it had suffered a data breach. The unauthorized access occurred from mid-May through July 2017. The breach exposed a vast amount of personal data, including:
- Names
- Social Security numbers
- Birth dates
- Addresses
- Driver’s license numbers (in some cases)
- Credit card numbers for about 209,000 consumers
Cause
The breach was caused by a vulnerability in the Apache Struts web application framework, which Equifax used for one of its online dispute portals. A patch for this vulnerability was available two months before the breach began, but Equifax failed to apply it in time.
Impact
Financial Impact
Equifax’s stock price dropped significantly after the breach was announced. The company faced numerous lawsuits, and it was estimated that the breach would cost the company over $600 million.
Reputational Impact
The breach had a severe impact on Equifax’s reputation. Many customers, regulators, and lawmakers criticized the company’s delay in disclosing the breach and its overall handling of the incident.
Operational Impact
In the aftermath of the breach, calls for stricter regulations concerning data protection and consumer privacy grew louder. It led to greater scrutiny of credit reporting agencies and their data protection practices.
Response
Delayed Reporting
Equifax discovered the breach on July 29 but waited until September 7 to publicly announce it.
Website Issues
The website Equifax set up for consumers to check if they were affected was criticized for potential security flaws.
Insider Trading Allegations
Three Equifax executives sold shares worth almost $1.8 million in the days after the breach was discovered but before it was publicly announced. Equifax said the executives had not been informed of the breach at the time of their sales.
Lessons and Takeaways
Prompt Patching is Crucial
Organizations must have a system in place to promptly apply security patches to their software and systems.
Incident Response Plan
Companies must have a clear incident response plan that includes timely disclosure to affected parties and the public.
Insider Trading Policies
Companies should have strict policies about trading during times of sensitive incidents and significant internal developments..
- This breach stands as a stark reminder to businesses worldwide about the importance of cybersecurity, the need for timely patching, and the necessity of having robust incident response strategies.