Cybercriminals exploited an unpatched vulnerability in a commonly used web server platform that allowed them to gain access to certain files and information in Equifax’s dispute resolution software application, including names, social security numbers, birth dates, addresses, and driver’s license numbers. Equifax also affirmed that credit card numbers for nearly 209,000 U.S. customers were exposed, as was “personal identifying information” on approximately 182,000 U.S. customers involved in credit report disputes.
In a video on its site, Equifax Chairman and CEO Richard F. Smith says, “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.” In an interesting development, also announced on September 7, three Equifax senior executives were reported to have sold stock worth almost $1.8 billion just days after the company became aware of the data breach. Equifax has indicated that these executives had not been informed of the cybersecurity incident at the time the shares were sold. Not surprisingly given the scope of the breach, the latest stock market reports show that Equifax stock prices have seen a 13 percent drop since the breach announcement was made.
In the breach announcement, the company indicates that it took immediate action to stop the intrusion once it was discovered and that it has found zero evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases. Equifax also indicates that it promptly engaged a leading, independent cybersecurity firm that has been performing a comprehensive forensic review of the intrusion’s scope, which includes the specific data impacted. In his statement, Chairman and CEO Smith added, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
In addition, Equifax officials have reported the criminal activity to law enforcement and are working with authorities in on ongoing basis. Even though Equifax’s investigation of the data breach is substantially complete (which may help to explain the long period of time between the company’s discovery of the breach and the public announcement), further analysis will no doubt continue into the coming weeks.
Are You at Risk?
Equifax has created a special website to help consumers determine if their information has been impacted. Along with the website, Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents were impacted.
Interestingly, Equifax has taken the admirable step of offering credit file monitoring and identity theft protection for ANY US consumer, regardless of whether or not the consumer’s data was affected by the breach. Consumers wishing to take advantage of the credit monitoring service may sign up on their site for credit file monitoring and identity theft protection.
The bottom line
Organizations will never reach the finish line in cybersecurity because even as companies get better at deploying defenses, new flaws and new attacks will continue to be identified and launched, which will require organizations to continually adapt their programs and defenses accordingly. Entities committed to proper cybersecurity and data protection must acknowledge that fact and decide to either run the race, or stop committing resources to cybersecurity and face the risks and resulting consequences. For those organizations that are committed to properly and effectively managing cybersecurity risks, cybersecurity professionals such as the ones at LBMC continue to find ways to safeguard against the newest threats and attacks, and our mission is to work with organizations to elevate their security objectives into effective, risk-managing cybersecurity programs.
For companies and business leaders who want to make sure your data is secure and safe from cybercriminals, LBMC Cybersecurity exists to help organizations armor up with a wide range of network defense services from the national leaders in IT security—including ongoing risk assessments, security monitoring, incident response tabletop exercises, and more. LBMC brings an experience level that is both deep and broad in the areas of compliance and audit needs, managed security services, and security consulting. More information and contact details can be found at the company’s website.