On Thursday, credit rating agency Equifax announced that it had suffered a major data breach that compromised details of millions of customers, including credit card details of over 209,000 citizens.
Equifax also confirmed that hackers were not able to access core consumer or commercial credit reporting databases.
Going by the total number of consumers affected, the Equifax data breach now ranks among the largest data breaches in American history. As admitted by Equifax, the breach compromised sensitive data belonging to 143 million consumers, a number of them foreign citizens.
Here’s how the breach happened, how Equifax responded to it, and what steps it need to take to ensure the sanctity of customer data in the face of sophisticated cyber-threats:
The Equifax breach details
As per Equifax’ estimates, the initial breach took place in mid-May when hackers were able to exploit a U.S. website application vulnerability to gain access to certain files. However, these files did not include core consumer or commercial credit reporting databases.
Following the breach, the hackers were able to access names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of millions of citizens.
Credit card details of 209,000 US citizens and personal identifying information for approximately 182,000 U.S. consumers were also accessed by hackers following the breach. Limited personal information of several UK and Canadian citizens were also accessed by the said hackers who have not been identified so far.
Equifax breach discovery
Equifax discovered the breach on 29th July and immediately took steps to contain it. In the week that followed, Equifax’ Chief Financial Officer, the president of U.S. information solutions, and the president of workforce solutions sold a combined $1.7 million in company stock. Equifax later denied that the three officials were in the know.
Following the discovery of the breach, Equifax informed law enforcement agencies about the same and also engaged an independent cyber security firm to determine the scope of the intrusion, including the specific data impacted.
Equifax finally announced the data breach yeaterday, revealing the true extent of the hack in a detailed press release. Following the accouncement, the credit rating firm’s stock fell 13% in New York and is expected to fall further.
“I apologise to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” said Richard Smith, Chairman and CEO of Equifax.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident,” he added.
Were UK citizens affected by the Equifax data breach?
Equifax holds personal and financial data of over 44 million British nationals but it is not known how many have been affected by the breach. The Information Commissioner’s Office is now working with the agency to obtain more information about how much data was impacted by the breach.
“Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised,” said James Dipple-Johnstone, ICO deputy commissioner.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber-attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens,” he added.
What’s next for Equifax and the industry?
To help its customers find out if they were affected by the breach, Equifax has set up www.equifaxsecurity2017.com, a new website aimed at helping citizens with their credit file monitoring and identity theft protection. Consumers are also being offered year-long complimentary identity theft insurance, internet scanning of SSNs, ability to lock and unlock credit reports and 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports.
READ MORE: Understanding the social engineering threat
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will,” said Smith.
Even though the independent cyber security firm hired by Equifax to investigate the breach hasn’t released a detailed report yet, Lee Munson – Security Researcher at Comparitech.com, believes that the scale of the breach can have far-reaching consequences for American consumers of Equifax.
‘That the target of this breach is a company that deals in such sensitive information, including credit card numbers and bank account details, highlights the value of personal and financial data to those who would steal it. Anyone potentially affected by the breach has some work to do now. While it is not known whether card data was encrypted or not, I suspect it is likely that personal information was easily accessible,’ he said.
He warns that to protect their other accounts and financial data, affected consumers must change their passwords accross all accounts, stop using the same passwords for different accounts- personal or financial, and should regularly check bank account statements and credit reports for abnormal or unauthorised activity.