Information To Protect What You Grow

What to Learn from Equifax's Cybersecurity Vulnerabilities

Written by Jeffrey Forbes | Feb 15, 2018 2:00:00 PM



Another major data breach at an American company worth billions of dollars has served to heighten cyber security concerns in businesses of many sizes in many countries. Equifax announced in September 2017 that a massive theft of data from their system had occurred. The failures of Equifax's cybersecurity team resulted in hackers obtaining the personal information of over one hundred and forty-five million of the people whose credit history Equifax tracked.

The Fallout After The Equifax Announcement

The potential economic consequences of that breach for those people are enormous. As more and more information about the intrusion becomes public, though, the more significant question becomes how this attack was allowed to happen.

It appears Equifax fell victim to two of the most frequent failures of cybersecurity, along with a few other more complex ones:
1. They failed to update their systems as frequently as they should have
2. they neglected to strengthen their human firewall.

Resignations Of Key Players After The Equifax Hack

In light of these failures, their Chief Information Security Officer resigned, as did the CEO. Experts have seriously questioned whether Equifax had devoted the resources it needed to prevent attacks like this, and it raises the question of liability for board members and executives at the company going forward.

Lack Of Software Protection

The Equifax breach occurred through a known vulnerability in part of web software package called Apache Struts. The United States State Department had notified companies of the Apache Struts vulnerability in early March 2017. This information was sent to Equifax’s information technology team, but there was insufficient follow through. The actual hack occurred almosttwo months after Equifax received notification of the vulnerability in a system they used and continued undetected for another two and a half months.

Overconfidence In Existing Systems And Bad Communication Between Employees

Equifax’s human firewall failed due to their inability to put appropriate resources into information security and because they were unable to ensure redundancies into their system. Former Equifax CEO has attributed the breach to a single employee who failed to heed security warnings and forward vital information to other employees. In an adequately built system, no single employee should ever be able to cause a breach of this magnitude. Additionally, the security software used by Equifax also failed to catch the known vulnerability.

Businesses Of Any Size Can Be Guilty Of These Mistakes

Consider that according to a 2017 study from Spiceworks, 14% of business laptops and desktops are still running Windows XP, an operating system that was replaced by Windows 7, then phased out of being supported or updated in any way by Windows in 2014. IT pros have cited no immediate need, lack of time, and budget constraints as reasons for sticking with their current OS instead of upgrading to the latest and greatest.

Fallout After The Breach

As is becoming standard, the breach has led to massive stock price drops, resignations, and congressional hearings. In the period following the breach’s announcement, Equifax's stock dropped by approximately 30%, causing the company to lose more than three and a half billion dollars in value. The Equifax hack makes this breach already one of the most expensive in this new cybersecurity era.

Key Takeaways For Businesses Of Any Size

Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM says, "The days when a hope and pray strategy for managing information security no longer exists for businesses that want to survive. There are billions of dollars are on the line." Your competition will just need to be available to catch the patrons that leave or avoid your business due to the damaged reputation of your company. Charlie recommends that "Successful companies will invest in mitigating against potential losses now- as it's as important as any other measures they take for business longevity and success."