We’ve already mentioned twice here at Appknox about one of the world’s biggest cybersecurity breaches. Today, on the occasion of remembering what happened around one year ago with the Equifax hack, we’re looking back at how hackers entered the company's systems to steal over 147 million people’s personal and financial data. This data included Social Security numbers, dates of birth, home addresses, and some driver's license numbers and credit card numbers.
The Equifax data breach started on 13 May 2017, but the company discovered it on 29 July 2017. Remediation began immediately, however, the resulting costs have taken a significant toll on the company’s finances.
The breach exposed personal data of 148 million individuals in the United States, i.e., 56% of American adults. About 15 million U.K. citizens and 20,000 Canadians also had their data stolen.
Investigations by Authorities
The data hack resulted in a number of lawsuits and congressional probes by privacy authorities in both Canada and the U.K. The Republican majority staff of the U.S. House of Representatives Committee on Oversight and Government Reform published a report that stated the data breach “was entirely preventable.”
According to the report, “Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”
They reported that Equifax had numerous security defenses in place, but failed to use them to full effect.
The company responded to the report in a statement, “We identified significant inaccuracies and disagree with many of the factual findings.”
On the Canadian probe which concluded recently, Daniel Therrien, Canada’s privacy commissioner, stated that “Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices.”
UK regulators concluded their investigation last September and the Information Commissioner’s Office (ICO) announced a fine of £500,000 for failing to protect personal data of up to 15 million citizens of the U.K.
Equifax’s Financial Results for Q1 2019
Many companies have faced data hacks and have paid a heavy price for it. The Atlanta-based company reported a loss of $555.9 million for the first quarter of 2019 (ending 31 March) against $90.9 million net income in the same quarter of 2018.
Equifax’s technology and data security costs resulting from the breach came up to $82.8 million in the Q1 2019 balance sheet. These costs include incremental costs to transform the technology infrastructure and to improve application, network and data security.
The company also launched Lock and Alert, a product that allows individuals to lock and unlock their credit report with Equifax. Apart from this, Equifax also listed $12.5 million in quarterly legal and investigative fees and $1.5 million for product liability.
It is common for any company to sense the heightened dangers of a post data breach, but, it is less common for businesses to feel the same before the occurrence of one. Generally speaking, the cost of a data breach, pre, and post, are incomparable. Although this may sound overused or hyped up, it is no farther from the truth as displayed in the Equifax hack. Let’s take a look at the trouble Equifax went through all because they took the threats of a pre-data breach very lightly.
1. Compromise of personal and private data
The magnitude of data lost during this breach was immense. Not only was it a high volume data breach but the type of content that hackers got their hands on, was simply priceless. It isn’t comforting as a consumer to know my personal and private data is in the hands of bad people.
2. Massive brand reputation degrade
To put it simply, when the data of our consumers are compromised and it's out in the public, there is just no coming back from an inexcusable mistake like that. Tons and tons of your consumers are going to turn away from you because when trust is betrayed, there are not many instances you get to have a second chance.
3. Massive remediation spends
In the year since the breach, Equifax has invested $200 million on data security infrastructure. And the now acting CISO Farshchi says that Equifax has given him the resources he needs to build a stellar security program. Although it's a direction in the right step, its one small step taken very late. Basically, we're saying all this could have been easily avoided.
4. Data breach penalties
US cybersecurity laws are known to be amongst the most strict in the world. A data breach certainly is not going to go unnoticed nor unpunished. If the Democrats’ measure had been law at the time of the incident, Equifax would have been forced to fork over $1.5 billion to the feds, the lawmakers estimate. That’s because their measure would allow the FTC to fine credit-reporting agencies $100 for each consumer whose personal information was stolen by a hacker — and an another $50 for each additional piece of personal information compromised per individual. Total fines would be capped based on a credit-reporting agency’s revenue but could increase further if the likes of Equifax failed to follow basic cybersecurity practices. Apart from the huge penalty, Equifax still devotes a huge chunk of time, fighting it out in the court.
5. The hiring of new resources
Apart from running around and trying to build new security capabilities (because obviously what they were doing didn't work), Equifax decided to initiate it's overhaul top down. They spent a massive amount hiring a huge name in information security. Let's not even try and put a number to what he or his new team would have costed Equifax. All this because the sound of a pre-hack didn't sound as alarming as a post.
If it didn’t sound important enough during a pre-breach coming from us, then hear it from the mouth of the man Equifax themselves hired to get them out of this mess.
In the words of the recent CISO hired by Equifax, Jamil Farshchi "One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe. I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin' long to push some of this stuff. The barriers you face at any company not post-breach is you're always fighting for budget, you're always fighting for facetime, trying to justify and convince people about the importance of security and risk management. When you're in a post-breach environment, everyone already knows that it's critically important."
Add all this up and put a number to it. Do you think it’s worth all that trouble? There are great security solutions out there at costs that you can easily afford to ignore. There’ a lot at stake so we’d suggest taking the pre-breach situations much more seriously before it’s too late. It could happen to a business of any size but at the end of the day, the damage done has the same lasting effect. If you are a business who has concerns, let Appknox help you set up a security strategy.
We fight for a larger cause and it's worth more than just a meager business deal to us.