SecurityCents Blog

Insights on payment data security, payments news and trends

EQUIFAX BREACH 2017 | What We Know and What We Can Learn


In September 2017, Atlanta-based major credit reporting bureau Equifax reported that it had experienced a cyber-attack earlier in 2017, leading to a series of wide-reaching data security breaches from mid-May through the end of July 2017.

Here’s What We Know:

This is not the first high profile breach in recent years. A number of large, well known corporations across a number of industries have been targeted by hackers as of late, including Target, Time Warner, and Verizon to name a few. However, the scope of this breach, which affects 143 million people (nearly half of the population of the U.S.), and Equifax’s responses to it have made this event stand out for the worst reasons.

It has been reported hackers were able to access sensitive customer information from Equifax’s network by exploiting a flaw in the tool Equifax used to build web applications, such as some of its online customer portals. The industry group that manages the tool had announced the vulnerability and provided a patch in March 2017, but it seems that Equifax did not take timely action to ensure that its system had been properly patched. Furthermore, it took Equifax execs nearly six weeks to publicly announce the breach after confirming that the breach had occurred and being aware of the scope, denying customers the chance to protect themselves and their information during that time, while allowing the thieves ample opportunity to continue to misuse sensitive information.

By hacking Equifax, the criminals may have gained access to customer social security numbers, credit card numbers, addresses, and even driver’s license numbers in some cases. As a credit reporting agency, Equifax collects this information from credit card companies, banks, lenders, and retailers, and then compiles and uses it to determine credit scores. Thus, tens of thousands of people who are not direct consumers of Equifax’s services may have had their personal information collected by the company from an outside source and subsequently collected by hackers.

Here’s What We Can Learn:

The fallout from this incident has been immense and wide reaching. Credit card holders from every US state as well as the UK and Canada may have had their personal information compromised. If prior high profile breaches weren’t evidence enough, THIS incident should serve as a clear wakeup call to all companies handling high volumes of private customer data—which, given the structure of our economy at present, pretty much includes any industry that processes transactions—including (of course) the payments industry.

Because most of us are not faced with major security breakdowns on a day-to-day basis (especially not breakdowns on par with the Equifax catastrophe), it is easy to become complacent in our routines, at times even leading us to cut corners when it comes to security measures in order to save time and/or money.

When it comes to data security protocol, we all have a choice to make—to be proactive or reactive.

Sure, doing daily due diligence can be time consuming—and it may, at times, feel redundant when proper security measures are known to be in place and operational. In hindsight, however, it should be apparent that dedication to vigilance and taking regular, routine steps to minimize criminal opportunity is a small price to pay in comparison to the months and years of damage control, profit loss, and the decimation of customer trust that companies like Equifax are now facing.

This breach has been truly unfortunate for all involved—but rather than dwelling on the negative, corporations across all industries should use this experience to strengthen our commitment to data security best practices and risk management.




Third-Party website disclaimer: As a convenience, this article provides links to websites maintained by third parties. Merchant Link does not endorse, does not provide and is not responsible for the availability, security, products, services, or content offered through these third-party websites. In addition, our privacy policy does not apply to these third-party websites. These third-party websites may have privacy policies that differ from our privacy policy and may provide less security than our website. You should consult the privacy policies on any of the third-party websites for further information.