Where Did Equifax Go Wrong?

Where Did Equifax Go Wrong?

It has been revealed that Equifax, one of the three major consumer credit reporting agencies in the United States, has suffered a data breach where hackers had access to names, email addresses, social security numbers, driver’s license numbers and other sensitive information concerning 143 million of its customers. So where did it go wrong? Below are a few comments Lawyer Monthly has heard from industry sources.

Ross Brewer, vice president and managing director EMEA at LogRhythm, commented:

Equifax and its peers build their reputation on trust and the protection of consumers, so this breach becomes even more critical – and the immediate, dishonest actions of its executives will definitely come under scrutiny. It’s common practice to offer victims access to free credit monitoring in the aftermath of a data breach, but this incident now calls into question the integrity of all similar companies gathering, processing and storing such vast amounts of sensitive information. Whichever way you look at it Equifax lost a goldmine of information – and with that level of detail to hand, identity theft would be child’s play for even the most inexperienced cybercriminal.

It is important that organisations such as Equifax understand the true value of the information that they hold, and take suitable measures to protect that data – at any given time. With such a lucrative potential payoff, credit monitoring firms are likely targeted by some very sophisticated, determined hackers, and in response should invest in the right monitoring and alerting technologies for when (not if) one of those attackers breaks through their defences. Only then can the organisation reduce the time taken to detect and respond to threats down to minutes, and stop a significant data breach in its tracks.

If anything, this is a solid reminder that even though British and European consumers may not directly deal with overseas businesses, those organisations might still hold – and ultimately lose – our personal data. This is exactly why we need the incoming EU GDPR, to hand down appropriate penalties to those US companies collecting huge amounts of highly sensitive personal data on European citizens and then not protecting it. Let’s not forget, if the ICO were to impose the highest level fine – four percent of Equifax’s turnover – it would be looking at a bill of over $100m.

Adrian Rowley, EMEA Technical Director, Gigamon made the following comments:

The fact that a company like Equifax was a target is not surprising, considering the wealth of information it holds. Given the sensitivity of this type of data any such organisation needs a robust system in place to prevent these attacks from being successful. You cannot secure what you cannot see and when it comes to something as important as social security numbers, which could make ID theft easy, organisations must take data protection very seriously. Credit monitoring companies manage a treasure trove of information that can be damaging if it lands in the wrong hands, especially when it’s been in those hands for several months.

To combat threats targeting valuable data like this, technologies should be in place that take into account the growing size and complexity of today’s networks and eliminate any monitoring blind spots that may occur as traffic increases. A key prerequisite for a sound IT security strategy is knowing exactly what data is in your networks. Visibility is key, and our recent research found that sixty-one percent of respondents in the UK cited network blind spots as a major obstacle to effective data protection, while 41% of those without complete visibility of their network admit to lacking sufficient information to identify threats. Unfortunately, it seems that this has become a reality for Equifax.

Leave A Reply