Equifax’s data flaws are more the rule than the exception

Warning: I’m about to make an argument that could be viewed as mildly sympathetic to the current public enemy No. 1 — Equifax.

Resist for a moment the urge to brush it off or fire away at me on social media. Our high-outrage, quick-to-react society could stand to benefit now and again from a little reflection, and shedding a broader light on the Atlanta credit bureau’s data-security disaster could be useful in fixing the problems that have ailed us for years.

No organization is immune to data breaches, and a lot of potentially personal data was out there already thanks to all the screw-ups that preceded Equifax’s. And, by some measures, there have been bigger exposures of private information.

Moreover, the gaffes keep coming. Just in the past two weeks, the Securities and Exchange Commission and Deloitte have announced large breaches affecting nonpublic corporate data and customers’ private emails. In the past few years, numerous breaches have affected millions of sets of personally identifiable information, credit card numbers, Social Security numbers and even fingerprints.

But the hack that Equifax announced Sept. 7, in which the personal information of 143 million Americans was stolen, struck a nerve that, three weeks later, is still provoking angry reactions from Congress, consumer advocates and the public.

In a Senate hearing Tuesday, Sen. Mark Warner suggested that Equifax may have forfeited the right to stay in business.

“The Equifax breach is so egregious,” the Virginia Democrat said. “No. 1, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability — they had known for months and if they had simply put a patch in place we might have precluded this.”

The student loan marketplace provider LendEDU surveyed consumers this week and found that 54% think Equifax should lose its ability to act as a credit bureau.

“Because this story is fresh and reactions have yet to be tempered, that percentage would most likely drop if you ran the same poll in six months,” said Mike Brown, research analyst at LendEDU. “But I would not expect the percentage to drop drastically because the Equifax breach has had a direct impact on the lives of many American consumers."

And therein lies one of the reasons for the harsh condemnations of Equifax: The breach was something everyone could understand — and it tapped into existing fears about overall financial security.

However, consumers have survived arguably worse hits in recent years. Let’s compare the Equifax breach to Yahoo’s and some other recent data break-ins.

Scope of the problem: Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers for 143 million people were exposed in Equifax’s breach. In addition, credit card numbers for about 209,000 U.S. consumers and dispute documents with personal identifying information for roughly 182,000 U.S. consumers were vulnerable.

That’s a lot of compromised data, but during Marissa Mayer’s tenure at Yahoo, the company reported two massive breaches, one affecting more than 500 million Yahoo user accounts, the second more than 1 billion accounts. Both are considered the largest breaches discovered in the history of the internet. Names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth,and hashed passwords were all stolen.

Disclosure gaps: Other organizations took longer than Equifax to inform the public about data breaches. Examples shown in months between a hack and its announcement

Notification timeline: Equifax says the unauthorized access occurred from mid-May through July 2017; it reported it in early September.

“The timeline alone says a lot, and it’s not terribly flattering for this company,” said the security blogger Brian Krebs.

There’s often a time lapse between when a breach takes place, is discovered and is reported. In most cases, including Equifax’s, the company says this is due to the need to investigate whether, how and to what degree a breach occurred.

In Yahoo’s first breach, two years passed between the breach occurring and being reported; in the second, the gap was three years. The SEC’s Edgar database breach went unreported for 11 months.

Security negligence: Hackers broke into Equifax by exploiting an unpatched vulnerability on its U.S. web server, a flaw in the open-source Apache Struts framework it used to build its web applications.

It’s not unusual for hackers to exploit a server vulnerability.

Hackers who stole the personal data of about 4.5 million patients of hospital group Community Health Systems in 2014 broke in by exploiting Heartbleed, a security bug in the OpenSSL cryptography library.

In the JPMorgan Chase data breach of 2014, in which account data of 83 million households and small businesses was compromised, cybercriminals got in through one neglected server that was not protected with two-factor authentication.

Equifax, of course, is in the business of protecting and selling data.

“They neglected to patch an internet-facing web server for four months,” noted Krebs. “Somehow all this sensitive data that they make a lot of money selling was left connected to a server that for all intents and purposes, they forgot about.”

Still, I haven't seen evidence yet that Equifax was sloppier with data security than other companies. Web servers should be patched, for sure, but I think you would have trouble finding a company that doesn't have one server or desktop somewhere with a vulnerability a hacker could exploit. So the outrage over the breach itself feels excessive in that sense.

But the way the company initially tried to sell its credit monitoring service to victims and ask them to give up the right to sue in the aftermath seems remarkably callous. It also charged victims a fee to freeze their credit files at first, then later offered that service free.

Moreover, Equifax offered a website that consumers could use to learn whether they were victims of the breach. The website had traits in common with a phishing website — it was not hosted on a domain registered to Equifax and it ran on WordPress, a content management system that is not typically used for high-security applications.

“They made misstep after misstep in disclosing this, which communicates to a lot of people that they don’t view the American public as their customer because they’re not — they are the product,” Krebs said. “I think maybe that became clear to a lot of people for the first time, which is probably where a lot of the vitriol against the company has come from over the last few weeks.”

It’s never easy to respond to a data breach, but Equifax seems to have made more mistakes than most.

In life, if you make a mistake, sincerely apologize and genuinely try to make amends, you often end up with a stronger bond with the wronged party than you had before. Equifax is trying to do this now, with the new CEO's mea culpa in Thursday's Wall Street Journal and the company's new offer of free credit monitoring for life.

It didn't take these steps at the outset, and it will continue to pay for that error for a long time.

However, data breaches themselves are a widespread problem, and business and government leaders should have done more to prevent them before now.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Data breaches Cyber attacks Cyber security Credit reporting Credit scores Bank technology Personally identifiable information Policymaking Equifax
MORE FROM AMERICAN BANKER