Equifax Data Breach is among the biggest hacks within the last decade. While companies try to stay one step ahead of cyber criminals, the case of Equifax is different because they had almost two months to install preventive measures that would have prevented the breach. This blog will discuss what problem allowed hackers in, the stakeholders affected, how the hack occurred and what Equifax would have done to prevent the breach.
What the Problem Was
According to Turner (2017), Cyber criminals breached Equifax and managed to steal sensitive information, such as, names, social security numbers, birth dates, addresses, and some driving license numbers. Up to 143 million user data were at risk during this breach. According to Equifax (n.d.), the breach happened between mid-May and July, however, Equifax discovered the breach on July 29. Residents of countries like the U.K. and Canada were also affected by the breach.
Who Were Impacted by the Breach?
Although approximately 143 million users were at risk of being exposed, further research by Equifax showed that 2.4 million users lost partial or incomplete information about them. In most cases, addresses were not present and driving license information were not complete as they did not include issuing state, date issued and expiring dates. The company also lost approximately 209,000 credit card numbers for U.S. customers and approximately 182,000 personal user information (Newman, 2017).
How The Hack Happened
The breach occurred through an Apache Struts web-application that had susceptibilities. Although a patch of the application had been released two months earlier, the company had not updated it thus becoming vulnerable to hackers (Newman, 2017). The blame however is not on The Apache Software Foundation because according to them, a patch had been released. Apple often advise users to update and patch their software as soon as new patches are released. Apache also mentioned that most breaches occur as a result of failure to patch and install updates (Gielen, 2017).
While Gielen, the Vice President of Apache Struts, was sorry, he clearly attributed the breach to failure by the Equifax to patch the software and urged businesses to always follow guides to patch and update software. It is unfortunate that a credit-reporting company with data of more than 143 million people had two months to take preventive measures that would have prevented the breach.
What Could Have Been Done to Prevent the Breach
Although the breach was among the biggest in history, the prevention would have been the easiest. With Apache having released a patch and a guide on how to update the software, the only work left for the IT or cyber security department officials at Equifax was to follow the guide and patch the web-application. The patch, according to Gielen (2017), would have prevented the breach.
The breach shows that the company was reluctant with their security and response measures. It is believed that the breach occurred in May while the company learnt about it towards the end of July. This suggests that the company did not have enough preventive measures, such as, firewalls and intrusion detection/prevention systems. After the breach, the company also feared for its reputation, hence took more time before reporting the breach to both the authorities and the affected customers.
This blog discussed the 2017 Equifax Data Breach, how it happened, who were affected and how it could have been prevented. Cyber Security experts should learn the importance of patches and software updates from this case. A simple failure to patch a web-application resulted in a breach ranked among the top breaches and hacks of the 21st century. Companies should also learn from this case that having cyber security experts and response measures in place helps to prevent and/or respond to attacks fast.
EQUIFAX (n.d.). 2017 Cybersecurity Incident & Important Consumer Information. Retrieved from https://www.equifaxsecurity2017.com.
Gielen, R. (2017). Apache Struts Statement on Equifax Security Breach. Retrieved from https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
Newman L. H. (2017). Equifax officially has no excuse. Retrieved from https://www.wired.com/story/equifax-breach-no-excuse.
O’Brien, S. A. (2017). Giant Equifax data breach: 143 million people could be affected. Retrieved from http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/index.html.
Turner, K. (2017). The Equifax hacks are a case study in why we need better data breach laws. Retrieved from https://www.vox.com/policy-and-politics/2017/9/13/16292014/equifax-credit-breach-hack-report-security.