Equifax Breach: Never Too Big To Fail


October 17, 2017

The October Blog Series | Cybersecurity

Issue 13: Equifax Breach: Never Too Big To Fail

October is Cybersecurity Awareness month -- and the perfect time to reflect on some high profile cybersecurity mistakes. In March 2017 and from May through July of 2017, Equifax experienced substantial data breaches, but these breaches were not reported to the public until September. Organizations have a lot to learn about the Equifax data breaches, especially in relation to their attempts at mitigation.

The March 2017 Data Breach

In March 2017 Equifax experienced a major data breach, but only began notifying selected customers in May. In September Bloomberg reported on the incident, but only after another incident had already occurred. The March 2017 data breach was not discussed in public by Equifax until the May through July breach had become public knowledge. Though Equifax cited the two incidents as unrelated, there were those who claimed that both hacks had been carried out by the same individuals.

September Reports of a May through July Breach

During the data breach it was believed that a total of 145 million individuals had their personally identifiable information stolen. Further, 11 million individuals may have had their driver's licenses stolen. Together this information can be used to steal identities for the purposes of procuring credit or even acting as a citizen. Altogether, this means that the May through July breach was one of the worst data breaches in history.

Equifax Serves Malicious Code

The data breach attacks in September have not been the last issues that Equifax has encountered. On October 12, it was additionally reported that Equifax had served malicious code through their website. Though malicious code being served through third-party applications is not unheard of, this further damaged the organization's reputation and its credibility. The malicious program was a malicious advertising program that had been in existence since 2012. Malicious advertising programs are often included within advertising networks; organizations that serve ads should be especially conscientious when scanning their sites for suspicious activity.

Mistakes Made by Equifax

  • Not shoring up security. If sources are believed, Equifax suffered an initial attack and then a subsequent attack by the same individuals. This may mean that the initial weaknesses were not appropriately addressed.
  • Failing to alert the public. The public was not notified of the huge data breaches until well after they had already occurred. Because of this, the data breach attacks may have had a more significant impact, as it is possible customers could have mitigated their own damages.
  • Not being proactive about their security. Once security issues were announced, Equifax was under a magnifying glass. Not protecting itself from additional attacks made it very difficult for it to recover from issues such as its website hack.
  • Failing to engage in positive PR. Much of the fallout experienced by Equifax has had to do with negative PR and a lack of successful PR management.
Throughout the past year Equifax has made a number of dramatic mistakes that have injured customer trust. But for merchants, it has become obvious that there are things that can be done to mitigate damage -- and that if these things are not done it can result in an even more challenging recovery.