The Equifax Data Breach: Lessons Learned from a One-Year Look-Back
On September 7, 2017, Equifax announced one of the largest cybersecurity breaches in U.S. history. One year later, companies can protect themselves by learning valuable lessons from Equifax’s short-comings.
Background of Breach
Equifax suffered multiple failures which created a “perfect storm,” and led directly to the massive data breach which affected over 145 million U.S. customers:
- Equifax did not properly update and patch its computer systems, even though a patch for a known exploit had been available since March 2017.
- To make matters worse, the follow-up scans did not detect the vulnerability due to the lack of the patch.
- Furthermore, Equifax did not discover the vulnerability until late June, when the company first noticed suspicious web activity. Even then, access was not cut off until July 30.
However, this is not where Equifax’s failures ended. Following the breach, two situations exacerbated the damage caused by the breach.
- The aggravation of the breach – which occurred when Equifax accidentally promoted a phishing website (a website meant to impersonate a well-known website) which was, in truth, set up to educate users about phishing sites. Furthermore, the correct website required that individuals provide more PII on an unsecured website. This mishap caused more backlash, as individuals faced greater exposure due to the inaccurate information provided by Equifax.
- The second aggravating factor was the terms and conditions of the website, which Equifax construed to waive an individual’s right to sue the company, prompting public backlash and significant criticism from federal lawmakers.
While Equifax clearly failed to adequately protect its clients’ data, the company also failed to appropriately respond to the breach. The culmination of technological and response failures created a nightmare scenario for the company, its leadership, and the millions of Americans who were impacted.
The Equifax breach, and subsequent response, have taught us that companies must focus on three key areas to avoid and/or properly respond to a cyber incident:
- Prevention - through comprehensive internal policies, penetration testing and prompt attention to updates and patches.
- Maintenance - preventative measures must be continuously maintained, as cyber security is a constantly shifting battle between entities and hackers.
- Response - post-incident policies and practices should be approached as a matter of “when” not “if.”
In retrospect, it is clear that Equifax performed poorly in all three areas. Despite presumably strong security policies, Equifax’s failure to ensure that the appropriate patches were installed led to ineffective security updates. Again, this vulnerability existed from early March to late in June. Regular penetration testing, or other, intensive data security processes should have helped catch this breach, or the failure to properly secure data. Trusted and skilled information technology professionals can help alleviate the first and second issues, and avoid them for other entities.
Equifax failed to properly respond to the breach, and enhanced the damage caused. Directing consumers to the incorrect website, and then requiring consumers to provide Equifax with additional PII were significant mistakes. The more appropriate action would have been for Equifax to host a response tool on the main domain of the entity, rather than quickly create a website.
To that extent, a full “doomsday” plan should be prepared, including:
- What website will the response tool be located;
- What domains are not under the entity’s control that could be confused with the website hosting the response tool;
- A review of the cyber-insurance policy held by the entity to determine what would and would not be covered; and
- An agreement with an identity theft prevention and mitigation service prior to a breach occurrence.
Although it was not improper to include an arbitration provision in its terms of service, Equifax suffered a public relations hit as a result. Tying an arbitration agreement to providing any sort of identity theft prevention or mitigation service would avoid some litigation, including a possible avoidance of class-actions. However, this has the chance to backfire in some situations, as occurred with Equifax, where the impact of the breach caused public outcry against the arbitration provision.
Do not wait to become Equifax. There is always time to improve and review your own cybersecurity policies, the maintenance of those policies, and any incident response plan before it becomes an emergency. All of these areas deserve special emphasis. If a breach occurs, litigation arising from a breach is a near-certainty – therefore, a company must be prepared to respond as quickly as possible, understand what notifications are required for its customers, and what other actions might be needed in the immediate aftermath of a cyber event to help limit liability.
In addition, a company should pre-plan steps to allow it to salvage relationships with customers, and attempt to limit the threat of litigation. Taking steps to properly notify consumers, assist in mitigation of damages, and ensure appropriate contractual provisions exist may help prevent litigation.