In September 2017, the credit score company Equifax announced that it had become the victim of one of the largest data breaches of all times. Although it wasn’t the largest – that dubious honor goes to Yahoo, which lost details of around 3 billion accounts in 2013 – the Equifax data breach saw the data of around 145 million US consumers exposed, along with those of millions of people from other countries.
The company discovered the breach in July of the same year, and estimated that it had been ongoing since May 2017. A House Oversight Committee report on the breach concluded that Equifax’s security practices were insufficient, and that its systems were outdated. It also exposed the company’s poor IT practices, since basic measures such as patching vulnerable systems could have prevented this breach.
The fallout for Equifax is ongoing
Despite the fact that this data breach happened two years ago, Equifax is still feeling the repercussions of its cybersecurity failings. At the end of May this year, the credit ratings agency Moody’s downgraded its ratings outlook for the company from stable to negative.
Moody’s cited a $690 million charge related to the breach in the first quarter of 2019 as a contributing factor in the downgrade. However, this is far from being the only expense that the company has incurred as a result of the breach. In the first quarter of this year, they also had $786.8 million in general costs related to the breach, including $82 million in technology and data security costs, $12.5 million in legal fees and $1.5 million in product liability. The total cost of the breach so far has been $1.4 billion. And the cost will doubtless keep going up.
A Moody’s spokesperson said that the Equifax case was particularly significant because “it is the first time that cyber has been a named factor in an outlook change.”
What can we learn from this case?
The company committed multiple cybersecurity mistakes, all of which led to these astronomical costs. The first of these mistakes was to ignore an important security patch. According to the company, an employee ignored a patch that needed to be installed on Apache Struts, the web application framework they used. What’s more, this patch was available two months before the data breach.
The breach was active between May and July 2017 – three months. With this in mind, it is clear that the company didn’t know what was happening on its network, and didn’t have appropriate controls on the personal data that it handled. Indeed, this was one of the conclusions in the House Oversight Committee report: “Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate”.
How to avoid becoming the next Equifax
No company wants to become famous for a security breach. Both financial and reputational damage can endanger the organizations that fall victim to this kind of cybercrime. And it is worth remembering that, with the GDPR, it is highly likely that the costs stemming from data breaches are going to keep going up.
The first thing that any company needs to do in order to stay safe from any kind of cyberthreat is to have total visibility of everything that is happening on their IT system. This is what Panda Adaptive Defense does. It monitors all active processes on the system in real time. This way it is possible to predict potential alerts before they can pose a security risk. It also has a module specifically designed to monitor and protect personal data.
The Equifax breach was made possible thanks to a patch that wasn’t installed. Companies often have difficulty searching for and applying relevant patches, due to a lack of time and resources. With Panda Patch Management, a module of Panda Adaptive Defense, you can be sure to always have the necessary patches, and thus be protected against any cyberattack that exploits vulnerabilities.
The post Equifax is still paying for its data breach: $1.4 billion and counting appeared first on Panda Security Mediacenter.