Dan Goodin, security editor for tech news website Ars Technica, has called the Equifax data breach “possibly the worst leak of personal information ever.” The breach exposed private information of an estimated 143 million Americans. Yet despite making international headlines in September, the Equifax data breach has largely disappeared from public view. It has resurfaced in the news only a few times since then.
Here’s a recap of the incident, as well as an Equifax update on how the company has handled the largest known data breach to-date.
Equifax is a global information solutions company with more than 10,000 employees in 25 countries around the world. Along with Experian and TransUnion, the company is also one of the three largest consumer credit reporting agencies in the United States. Equifax sells credit monitoring and fraud prevention services to consumers but also performs commercial reporting by offering credit, data, and services to organizations.
The breach is believed to have been caused by a preventable software flaw. More specifically, by a weakness in the Apache Struts open source framework for developing Java web applications. When it was first detected in March 2017, the flaw was added to the U.S. government’s National Vulnerability Database, where it was given the innocuous name “CVE-2017-5638.”
Although the U.S. Department of Homeland Security informed Equifax that it needed to update Apache Struts in March, Equifax failed to find any systems affected by this flaw during a scan of its network. As a result, the company was unaware that the vulnerability was present in its own systems until the end of July when the organization discovered a flow of suspicious network traffic.
The company moved to patch the vulnerability immediately once it was found, but it was too late. Attackers had already begun to infiltrate Equifax’s servers and network two months prior, in May 2017.
Despite fixing the issue and discovering suspicious network traffic in late July, Equifax did not announce the breach until September 7. This delay led to a great deal of criticism from both security experts and members of the public.
In total, the Equifax data breach exposed the personal information of 143 million Americans. This included sensitive information such as names, Social Security numbers, birth dates, driver’s license numbers, and more than 200,000 credit card numbers.
The sheer number of victims isn’t what makes the Equifax breach so shocking. In terms of quantity, it’s dwarfed by other breaches such as Yahoo’s 2013 email hack, which compromised every single one of the company’s 3 billion user accounts. What truly makes the Equifax data breach so devastating is the combination of the volume of victims and the highly sensitive data that it exposed.
People use private information such as SSNs, birth dates, and driver’s license numbers for authentication purposes with banks, insurance companies, and other financial institutions. The Equifax breach means that these formerly secure methods of identity verification may no longer be trustworthy.
Since the announcement of the breach in September, there’s been a bit of a bloodbath in the upper echelons of Equifax. A week after the announcement, chief information officer David Webb and chief security officer Susan Mauldin both declared their retirement. Mauldin also received a good deal of attention and criticism for her educational background in music composition. She held the CSO position at Equifax without any formal technology or security training.
Equifax’s CEO Richard Smith likewise retired but was still allowed to continue earning unvested stock compensation because he wasn’t forced out of the company. As a result, Smith will be eligible to collect a paycheck of more than $90 million over the next few years.
Other executives weren’t so lucky. Equifax made the decision to forfeit their 2017 end-of-year bonuses as a direct result of the breach. This is no small matter — cash bonuses accounted for over $83 million in 2016.
To make matters worse, Equifax CFO John Gamble and three other executives were put under investigation for selling $1.8 million in stock soon after the vulnerability was discovered. They were later cleared of wrongdoing.
As a direct result of the Equifax data breach, the U.S. Congress has proposed the Data Breach Prevention and Compensation Act. This legislation would require credit reporting agencies to pay a fine of $100 for every person who has their information stolen. There would also be an additional $50 per record penalty for exposure of that person’s data. If the act had been in place during the breach, Equifax would have owed upwards of $1.5 billion in damages.
Incredibly, millions of victims of the Equifax breach were still unaware of the hack months later. Others have launched class action lawsuits that could potentially cost Equifax upwards of $1 billion. State and local governments responded upon hearing reports that Equifax attempted to get consumers to waive their right to sue in exchange for credit monitoring. The company has since clarified that the arbitration clause does not apply.
The Federal Trade Commission is launching its own investigation.
To its credit, Equifax has taken serious steps to remedy the breach. The company is providing a free relief package for affected consumers, including:
In other respects, however, Equifax remains worryingly behind the times. During a U.S. Congress hearing in November, Equifax’s new interim CEO Paulino do Rego Barros Jr. reported that he simply “didn’t know” whether the company had encrypted its data as a result of the breach.