Equifax Data Breach Case: Excessive Risk Consequences

Wish to apply for a home or car loan or a credit card with a higher limit? It would help if you had a favorable credit score to do so, and Equifax could help you achieve that. The third largest credit reporting agency in America, Equifax, used to handle confidential customer data and served as a primary source for banks and lending institutions to evaluate your profile and approve your application. 

What was the problem? By 2017 Equifax informed its users worldwide that it had been the victim of a cyber-attack that compromised the information of more than 40% of the American population. 

Stay with us and learn what is Equifax, how the data leak happened, what risks they took, and what aspects they neglected, so you can avoid making mistakes in your company. 

Let's do it!

What is Equifax?

To comprehend the case's significance, it's important to understand what the agency actually does. Equifax is a multinational agency that operates in 15 countries and is dedicated to creating global credit reports. When users wish to acquire a loan from a bank or financial institution, they need a favorable credit score and credit history to be approved, and this is precisely what Equifax does; through an extensive database of records, it manages the data of more than 800 million consumers, providing this information to lenders including their purchase history, debts, and compliances.

How does Equifax work? 

Equifax is the third largest credit reporting bureau in the United States; this is because Equifax collects a large amount of credit information on millions of borrowers worldwide. It then takes that data and, through multiple complex mathematical algorithms and in-depth statistical analysis, produces a numerical snapshot (credit score) of each person, ranging from 300 to 900, delivered to financial institutions along with their credit profile and credit history. 

It allows lenders to evaluate the applicant's past and present behavior and creditworthiness and quickly decide. If people have a high score, their chances of acquiring credit will be higher; however, a low score means low opportunities. 

So, you may wonder what went wrong. Let's look at the plot twist. 

Read on!

The Equifax hack: a scandalous data theft 

By March 2017, the credit agency Equifax notified its users that it had been the victim of a cyber-attack on its servers; unknown persons managed to violently access its extensive database and clandestinely steal the information and credit records of more than 143 million users in the UK, Canada, and the USA. 

What kind of information was exposed? 

As mentioned above, Equifax not only handles a large amount of data, but it was privileged information, which compromised the identity, security, and privacy of individuals, so the hackers took 182,000 confidential documents and 209,000 credit card numbers, as well as:

• Address
• First names
• Dates of birth
• Telephone numbers
• Social Security numbers
• Driver's license numbers

The information had been breached, exposing customers to theft, data misuse, identity theft, etc. 

Where was the flaw? Let's move on to the next point!

Equifax data breach through a vulnerable app

To begin with, it's important to understand that the Equifax data breach didn't occur due to a single incident that caused havoc. Instead, it was the result of several cybersecurity weaknesses that didn't effectively prevent the possibility of a cyberattack. This set of weaknesses allowed improper access to a "secure" database and extracted thousands of gigabytes of data. 

They ignored the vulnerability

For its website, Equifax used the open-source Apache Struts framework. However, this could be spoofed, attackers used HTTP requests with malicious code in the header, and the system did not detect the irregularity and executed the code allowing improper access to the system. 

However, the company had already received several notifications of flaws from their vendor (Apache Software) and even from a security consultant they hired. However, upon learning of the defects, their risk management team, IT, and auditors did not apply the appropriate security patches. 

Lack of segmented systems

The hackers could access the massive database through the Equifax web portal, which due to a flaw, allowed access to the rest of their information systems without the necessary security, encryption, and authentication measures. 

Lack of encryption certificates 

The data breach did not occur in one day; the pre-existing vulnerabilities allowed the hackers over 76 days to take some of the customers' personal information without the members of Equifax noticing their lack. It is because the company used tools that analyzed and encrypted its web traffic to detect access irregularities and had not renewed the necessary security certificates for more than ten months. 

Misconduct 

One of the behaviors that Equifax is most questioning is that its directors and managers took a month to disclose what had happened. During this time, shareholders sold their shares, hiding the scandal.

Bonus 

Risk management tools such as Pirani can help your company create an effective threat control and mitigation framework and assist you with the execution of internal audits to detect vulnerabilities and flaws in your internal processes and security before a cyber-attack occurs. 

In addition, Pirani can facilitate the implementation of an information management security system for data manipulation, compliance with protocols, and effective cybersecurity policies for anti-theft, phishing, ransomware, viruses, etc. It can also be vital to keeping data encryption certificates up to date by maintaining information about the validity of certifications in one place. It helps you protect your company's information and maintain the trust of your customers. 

Let's see the impact of this data leak!

Equifax data breach settlement 

Despite thorough investigations, finding out who was responsible for the cyber-attack or recovering the extracted data was never possible. Some people believe that it was the result of an international espionage strategy. 

Even though it was impossible to quantify the damage due to the magnitude of the leak of essential data (143 million people affected), Equifax's responsibility was unquestionable. After the class action lawsuit, the Equifax data breach settlement was 1,138 billion dollars to resolve the claims of those involved (only $125 per person). 

As part of the lessons learned, the agency invested $1.4 million in improving its cybersecurity and changed its shareholders, but the reputational damage and loss of trust had already occurred. 

What did you think of this case? Did you already know about it? 

Let us know in the comment box!