cyber-security 20 October 2017

Equifax breach highlights importance of company response to cyberattack

The former CEO of US credit reporting agency Equifax, Richard Smith, has testified before Congress over the substantial breach of the sensitive data of millions of Americans.

Equifax has revealed that the breach potentially affects 2.5m more people than it first stated, bringing the total number of people whose details, such as social security numbers, addresses, and driver’s licence numbers, have been compromised to 145.5 million US customers, as well as 400,000 Britons and 8,000 Canadians.

Equifax is being investigated by the Federal Trade Commission and several Congress committees. It faces criticism for its lax data security practices and poor customer service response. After disclosure, the company struggled to handle the volume of calls from consumers and experienced difficulties with its complaints website. Equifax may also face a probe by the Securities and Exchange Commission (‘SEC’) for alleged insider trading, after three executives sold stocks after the breach was exposed but before disclosure to the public.

‘It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,’ said Greg Walden, the chairman of the Energy and Commerce Committee during questioning of Smith. ‘How does this happen when so much is at stake? I don’t think we can pass a law that fixes stupid.’

Members of Congress have questioned the delay between the first cyberattack, occurring in May, and disclosure of the breach to customers, in September. According to Smith’s testimony, Equifax first became aware that hackers had exploited a vulnerability caused by failure to apply a software patch on 29 July, but were not aware of the full extent of the intrusion until mid-August, after a forensic investigation. The vulnerability was flagged to Equifax in March, but not addressed. Smith claimed the breach was the result of ‘human error and technological error’.