Ë
By Mariann Utrosa • September 18, 2017

The Equifax Breach … How did it happen, and why was the fallout so fast and furious

 

equifax-1.jpg

HOW DID THIS HAPPEN?!

One of the world’s largest credit reporting companies, Equifax, was the subject of a data breach large enough in scale that security industry experts are branding it as “an unmitigated disaster”.

The breach affected approximately 143 million Americans, and an undisclosed number of additional individuals in Canada and the United Kingdom. Hackers accessed and duplicated critical data within Equifax networks, including what’s considered “Crown Jewels of Personal Identifiable Information” such as social security numbers, addresses, birth dates, credit card numbers, and other PII.

So, what actually happens in the aftermath of a large corporate data breach? 

Data For Sale

Simple. Stolen information is sold on the black market. According to Experian, an identity protection service provider - who is all too familiar with being hacked after suffering their own network breach - PII like Social Security Numbers and email accounts can cost as little as $1 on the dark web. We may not feel threatened by our Netflix account credentials being compromised, made available to someone else, or used to stream content from our account ... but the reality is that an alarmingly high percentage of people continue use the exact same set of credentials for everything. Whether it’s banking accounts, insurance documents, government correspondence, medical, education or legal records … the potential return on a hacker’s $1 and invested time can be immeasurable.

Class Action Lawsuit

After the breach was announced publicly, it took less than 24 hours for Equifax to be served with a 68 billion dollar class action lawsuit, filed in a Portland, Oregon federal court by law firms Olsen Daines PC, and Geragos & Geragos. In their lawsuit, users allege that Equifax was negligent about protection of data, and chose to save money rather than safeguard their customer’s data. The class action suit is seeking 68 billion dollars in total damages, and according to Geragos & Geragos, that makes it the single largest class action lawsuit in US history.

Stock Sale or Insider Trading Investigation

Three Equifax executives have been criticized for selling shares with a combined worth of $946,374 USD only days before the breach was announced publicly. Executives denied any prior knowledge of the breach when they sold their shares, and claim they only sold a “small percentage” of their respective stock holdings. At the time of sale, shares were valued at $146 USD each, and have since fallen ~15% to close below $100 for the first time since February, 2016, closing at $98.99. It’s too soon to determine how this will all play out, but if executives knew anything about the breach before selling their stock, they will be subject to criminal and / or civil insider trading charges.

General Data Protection Regulation Penalties

The GDPR is a major piece of legislation that comes into effect on May 25th, 2018. It will affect any organization that does business with EU citizens, or their PII. GDPR will include substantial penalties for non-compliance up to the larger of 4% of annual revenue, or 20 million Euros. In the UK, data belonging to approximately 44 million people was exposed through the Equifax breach, and according to the GDPR penalty structure, Equifax would therefore face a potential total fine of more than 60 million Euros. With teeth like that, organizations must take the GDPR seriously and prepare accordingly.

Negative Social Media

Some say that ”there’s no such thing as bad publicity”, and while it’s true that when people are talking about you, regardless of context, your company and brand are on people’s minds … so, too is your history, reputation, and integrity. Target disclosed a data breach in November of 2013, and their sales for the following quarter showed profits tumbling by 44%. Lululemon Athletica Apparel also saw their stock also tumble by 44% immediately after owner Chip Wilson made some poor choice comments. Since the breach, Equifax has suffered a major blow to their credibility, and it will take some time to realize just how badly negative PR and social media will play out for Equifax. In light of the startling scale of their breach, profiteering executives, and pending fines … it sure doesn’t look good.

SO WHAT NOW?!

The Equifax breach may go down in history as one of the biggest data security fails to date. Considering the nature of the stolen information, how do we fix it? Should the US government replace and reissue social security numbers to 1/3 their total population? Should individuals be expected to defend themselves against identity theft? How culpable is Equifax for all this? Watching how this whole situation unfolds through investigation, testimony, and court rulings will be quite captivating to anyone working in the cyber security space.

 

“This thing is going to get worse. The first rule of data breaches ... the number they give you is not the real number. It’s going to be higher” – Morgan Wright.