Equifax, the credit report company, announced yesterday that approximately 143 million US customers have had their details compromised in a breach.
The company also said in an investor Q&A that UK and Canadian customers have also been affected. The information accessed includes names, Social Security numbers, birth dates, addresses and driver’s license numbers. Hackers also accessed around 209,000 consumers’ credit card numbers.
However, the firm said it’s core consumer and commercial credit databases were not accessed.
“It might be ironic for a credit protector that is called upon after major data breaches to be target of one itself, but it just goes to show that no company is immune to suffering a cyber attack,” commented Thomas Fischer, global security advocate at Digital Guardian.
“Once again we see how unprepared management teams are to deal with the aftermath of a serious breach of this nature. We’re told that none of the “core” data has been compromised and yet the management team go on to say that investigators are still examining the extent of the breach. Why also did it take the company so long to notify customers?”
“Breach reporting must be prioritised to limit the damage to affected parties. After all, it’s not possible to change key personal data like your data of birth or social security number. These things are essential in identification and it becomes incredibly difficult to protect yourself from identity theft once this kind of data is out in the open.”
The company said it would work with regulators in the US, UK and Canada on how to move forward following the breach. As a show of good faith, it is also offering free credit monitoring and identity theft protection for a year.
Richard Smith, Equifax’s chief executive, said the incident was “disappointing” and “one that strikes at the heart of who we are and what we do”.
“I apologise to consumers and our business customers for the concern and frustration this causes.”
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
>See also: Don’t play the data breach blame game
The breach is one of the largest ever in the United States. However, it is still dwarfed by the one billion Yahoo user accounts that may have been affected, following a data breach in 2013.
“In case you were wondering why software security is important, here is yet another lesson why. When a large database is connected to the Internet through various applications and is not designed and implemented to be secure, things like the Equifax breach happen.” – Dr. Gary McGraw, vice president of security technology, Synopsys, Software Integrity Group.
Equifax breach should make firms consider their incident response, according to some experts.
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, explained that “not having a pre-prepared and tested incident response plan causes delay in disclosing data loss which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.”
GDPR and UK customers
The fact UK customers were impacted, does this have any bearing on the impending EU General Data Protection Regulation?
Fischer suggested that “US-based companies with customers in the European Union should take note. For example, under the GDPR, organisations like Equifax would need to clearly identify what sensitive data is being collected and let customers and in some cases, data protection authorities, know how it is being used.”
“Also, it’s not clear exactly what security measures the company had in place to protect data, but under the GPDR, businesses are required to use appropriate measures to protect all personal data, so any PII Equifax was processing should have been encrypted.”