Already being coined as one of the worst data breaches of its kind, Equifax announced on Thursday, September 7, that approximately 143 million people in the U.S.—nearly half of the country’s population— along with an unspecified number of people in Canada and the U.K., could be affected by a cybersecurity incident that occurred between mid-May and July 29. As an international credit reporting agency based in Atlanta, Equifax harbors the sensitive data of nearly 820 million people and over 91 million businesses around the globe.
When data breaches occur—especially ones with a critical impact and a large number of affected consumers such as the recent Equifax incident—the public rightly deserves to know the facts related to the situation. A global, well-funded organization such as Equifax should certainly have the internal resources and expertise to design and implement a comprehensive cybersecurity program, so, a logical question one might ask is, “Why was a vulnerable Internet-facing system left unpatched for so long?”
Given the size of the company and the nature of its business (Equifax collects and provides personal information on many consumers as a part of credit checks and other inquiries) it would seem fair to assume that Equifax’s internal cybersecurity and IT experts understand and are accountable to proper cybersecurity measures, and that the company’s cybersecurity program is adequately funded and staffed. From the details made available regarding the breach, Equifax claims that the breach occurred from an unpatched vulnerability in a commonly used web application server operating system (Apache), and that the specific vulnerability was discovered, reported, and a patch issued for Apache in March of this year, but Equifax neglected to apply the patch to the system that would later be compromised.