When any globally recognised organisation reports a data breach there are going to be a number of concerned parties, for Equifax there are literally hundreds of millions of concerned parties. The company has reported that a large-scale data breach led to the records of up to 143 million customers in the States being stolen, in addition to an unknown number of Canadian and British customers.
Unsurprisingly the company’s stock value has dropped some 13% since the event and all eyes now turn back to the company as the fall-out is evaluated and they are left to clear up the mess.
For Hacks Sake!
Although full details of how the data was stolen have not emerged, Equifax have been forthcoming with information and official statements, including that of CEO Richard Smith.
“This is clearly a disappointing event for our company, and on that, strikes at the heart of who we are and what we do”
Among the data stolen by hackers over an almost two-month period, Mid-May to July, it is believed that over 200,000 credit card details were taken. Hackers were able to ascertain access to systems via a ‘website application vulnerability’. It has been reported that Equifax’s core database systems remained intact and had not been accessed; Equifax holds data for more than 890 million customers and over 90 million businesses. Protecting data on that scale is a challenging task but for such a large organisation with such an established business in data, more should have been done.
With this hack making headlines globally it’s not much of a surprise that many regulators and authorities have begun investigating the hack. Among these is the FBI and in the UK the ICO who have stated that this hack is “cause for concern”, and cause for financial penalisation in the not too distant future.
The ICO (Information Commissioners Office) is the data regulatory authority in the United Kingdom and will be responsible for ensuring that any British citizens affected by the breach are treated in the correct way. Equifax has a responsibility to adhere to data laws of countries where it operates and should be well aware of the impending General Data Protection Regulation (GDPR). Under the GDPR organisations can see fines of up to £17 million or 4% of global revenue for serious data breaches such as this one.
“The Credit Bureaus have for the most part shown themselves to be terrible stewards of very sensitive data… more oversight [is needed] from regulators and law makers”- Cyber Security Expert, Brian Krebs.
The Breach Threat
Data breaches can come in many forms ranging in size and severity, the accidental loss or deletion of data is classified as a data breach but is often not as severe as a hack or external breach. Cyber-security threats are not new; however, the last 18 months have seen an unprecedented rise in the number of attacks reported, especially with malware and ransomware. It is important for organisations of all sizes, global or otherwise, to ensure that steps have been taken to mitigate the risk of a data breach. Steps can include:
- Implementing an accurate reporting process
- Limiting access to sensitive information
- Securing data on split networks
- Taking an off-site backup of data