make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

What to Know About the Equifax Data Breach

09/11/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Already being coined as one of the worst data breaches of its kind, Equifax announced on Thursday, September 7, that approximately 143 million people in the U.S.—nearly half of the country’s population— along with an unspecified number of people in Canada and the U.K., could be affected by a cybersecurity incident that occurred between mid-May and July 29. As an international credit reporting agency based in Atlanta, Equifax harbors the sensitive data of nearly 820 million people and over 91 million businesses around the globe.

WHAT HAPPENED?

Cyber criminals exploited an unpatched vulnerability in a commonly used web server platform that allowed them to gain access to certain files and information in Equifax’s dispute resolution software application, including names, social security numbers, birth dates, addresses, and driver’s license numbers. Equifax also affirmed that credit card numbers for nearly 209,000 U.S. customers were exposed, as was "personal identifying information" on approximately 182,000 U.S. customers involved in credit report disputes.

In a video on its site, Equifax Chairman and CEO Richard F. Smith says, "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes." In an interesting development, also announced on September 7, three Equifax senior executives were reported to have sold stock worth almost $1.8 billion just days after the company became aware of the data breach. Equifax has indicated that these executives had not been informed of the cybersecurity incident at the time the shares were sold. Not surprisingly given the scope of the breach, the latest stock market reports show that Equifax stock prices have seen a 13 percent drop since the breach announcement was made.

WHAT’S NEXT?

In the breach announcement, the company indicates that it took immediate action to stop the intrusion once it was discovered, and that it has found zero evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases. Equifax also indicates that it promptly engaged a leading, independent cybersecurity firm that has been performing a comprehensive forensic review of the intrusion’s scope, which includes the specific data impacted. In his statement, Chairman and CEO Smith added, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”

In addition, Equifax officials have reported the criminal activity to law enforcement and are working with authorities in on ongoing basis. Even though Equifax’s investigation of the data breach is substantially complete (which may help to explain the long period of time between the company’s discovery of the breach and the public announcement), further analysis will no doubt continue into the coming weeks.

ARE YOU AT RISK?

Equifax has created a special website to help consumers determine if their information has been impacted. Along with the website, Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents were impacted.

Interestingly, Equifax has taken the admirable step of offering credit file monitoring and identity theft protection for ANY US consumer, regardless of whether or not the consumer’s data was affected by the breach. Consumers wishing to take advantage of the credit monitoring service may sign up on their site for credit file monitoring and identity theft protection.

For companies and business leaders who want to make sure your data is secure and safe from cyber criminals, LBMC Information Security exists to help organizations armor up with a wide range of network defense services from the national leaders in IT security—including ongoing risk assessments, security monitoring, incident response tabletop exercises, and more. LBMC Information Security brings an experience level that is both deep and broad in the areas of compliance and audit needs, managed security services, and security consulting. More information and contact details can be found at the company’s website.

Read Article in Nashville Business Journal

Posted in: Security Consulting