In March 2017, the US-CERT (U.S. Computer Emergency Readiness Team) alerted businesses to a new critical security vulnerability found in Apache Struts, an open-source framework used to build Java web applications, and encouraged those using a vulnerable version of the software to immediately update to a new version for free. One business US-CERT alerted was Equifax, a consumer-reporting agency in the U.S. that offers credit reporting and other services. Unfortunately, despite some haphazard attempts by Equifax to address the problem, the vulnerability remained unpatched for several months.
By the time Equifax’s security team started seeing some suspicious traffic, the damage was already done. In September 2017, Equifax disclosed the data breach to the public, which involved 147 million consumers and various pieces of their sensitive personal information, including names, birthdays, social security numbers, physical addresses, telephone numbers, email addresses, and payment card numbers and expiration dates.
The FTC (Federal Trade Commission) sued Equifax for putting consumers at risk for identity theft by failing to take “numerous basic security measures” that may have prevented the breach. At the end of last month—July 2019—the FTC announced Equifax agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement.
The proposed settlement would include Equifax paying $300 million to a fund that provides affected consumers with credit monitoring services and compensates consumers who purchased services as a result of the data breach, including identity monitoring services. In addition to paying civil penalties to various states and to the CFPB (Consumer Financial Protection Bureau), the FTC says Equifax has also agreed to offer U.S. consumers six free credit reports per year for seven years, starting January 2020.
Equifax has further been tasked with implementing a new information security program and designating an employee to oversee the program internally. Specifically, the settlement requires measures such as: conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, testing and monitoring the effectiveness of the security safeguards, and making sure that service providers that access personal information stored by Equifax also implement safeguards. Every two years, the company will need to have its security program assessed by a third party, and it must provide an annual update to the FTC on its consumer claims process.
Clearly, the easier path would have been to address the problem upfront. Other companies can learn from the Equifax breach of 2017 and the proposed settlement. Mistakes included not implementing a policy that would have ensured security vulnerabilities were patched after they were known and not segmenting its database servers to contain the breach after it happened. These relatively straightforward security measures may have prevented or minimized the huge security disaster a couple of years ago, and even though Equifax can’t take its mistakes back, it can serve as a cautionary tale for others that don’t want to be the next company the FTC makes an example of. While all companies that store and use consumer data have an obligation to do their best to protect this data, this is particularly true for businesses that store and use sensitive data that, if compromised, could lead to devastating crimes like identity theft.
Want to tweet about this article? Use hashtags #M2M #IoT #5G #AI #artificialintelligence #machinelearning #bigdata #digitaltransformation #cybersecurity #blockchain #security #Magecart #cybercrime #skimming #data #enterprisesecurity #internetsecurity #cybersecurity #data #breach #cybercrime