Cyber breach – millions affected

Equifax has revised its estimate on the number of people who have been affected by the data breach that was disclosed in September 2017.

The company revealed that 145.5 million people have been affected – this is 2.5 million more than previously reported.

Background

Equifax Inc. is a consumer credit reporting agency in the United States. It was founded in 1899 and is one of the largest credit agencies in America. A global service provider, it has employees in over 14 countries. It’s annual revenue as reported in 2014 was approximately US $2.7 billion. It is the oldest of the three largest credit agencies along with Experian and TransUnion. It is headquartered in Georgia, Atlanta.

Equifax holds data on more than 820 million consumers as well as information on 91 million businesses. Twice in the company’s history, it has been fined for violating the Fair Credit Reporting Act by the Federal Trade Commission.

On September 2017, the company announced that a large-scale data breach had taken place in the company. It stated that an unauthorized third party was able to gain access to Equifax data on as many as 143 million Americans. This is nearly half the population of America. The Census Bureau estimates that there are 324 million people in America in 2017.

In addition to the data breach that was reported in September 2017, Equifax has admitted that it had faced another security breach in March– five months before the disclosure was made. The company has revealed that the two incidents are unrelated.

Analysis

The wake of the controversy, Richard Smith, the former head of Equifax resigned from his position. Additionally, the actions of four top leaders in the company - Equifax’s chief financial officer, John Gamble; its president of U.S. information solutions, Joseph Loughran; and its president of workforce solutions, Rodolfo Ploder – is under scrutiny. They had reportedly sold a portion of their shares before Equifax had disclosed the breach. The US Justice Department has opened a criminal investigation into the company.

The company has now revised the number of customers who were affected by the breach. According to the newly released statement 2.5 million more people than previously thought may have been affected. The number now stands at over 145.5 million people. The data of 400,000 Britons and 100,000 Canadians may have also been compromised.

Newly appointed interim CEO, Paulino do Rego Barros, Jr. disclosed the news stating, “I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released. Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis."

Barros Jr apologized on behalf of the company adding, “I want to apologize again to all impacted consumers.  As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices.  We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”

The former CEO Smith will be testifying in Congress about the attack. He also provided a written testimony to the Congress. He revealed that the company was alerted in March to the software security vulnerability that was ultimately exploited by the hackers. However, it was months before that vulnerability was patched. He attributed this to “both human error and technology failures.”

Assessment

As we had cautioned before, this breach has compromised the private information of millions of people. This vindicates that sensitive data stored by governments and organizations across the world are vulnerable. It appears to us that the senior management including the board and the CEO were complacent and did not do what was necessary to mitigate the threat. The sentiments expressed by members of the Congress that Equifax deserves public shaming carries the message home. Both the members of the board and the CEO are responsible for such glaring demeanors that causes not only financial losses but also an intrinsic loss of faith in the financial system.