Equifax Hack – Takeaways for Small Business

Posted by Timothy Platt on Sep 10, 2017


Key Points About the Equifax Hack (Data Breach) for Small Business

As you’ve probably heard, this week Equifax Inc. (one of the “big-three” credit bureaus) announced a cybersecurity incident that involved a data breach of 143 million U.S. consumer records. A data breach is a form of computer hack where confidential or private data is exposed – accessed, viewed, or stolen by unauthorized individuals. The information that was exposed includes: names, Social Security numbers, birth dates, addresses and some driver’s license numbers, amongst other things. Some credit card numbers were also exposed. This data breach exposes millions of US citizens to potential Identity Theft.

The records were accessed by criminals who hacked into a web server run by Equifax. The criminals had access for an extended period of time – from May through July of this year. This means the information is certainly now in the hands of individuals who could use it for Identity Theft – or for sale to those that would.

In this article, we’ll discuss the key takeaways from this incident. Let’s learn from other’s mistakes.

How Did the Breach Happen?

It’s still early, but all signs point to hackers using a software vulnerability in a web server run by Equifax to gain access. A vulnerability is a bug or defect in the underlying computer code that allows unintended usage or attacks. The specific software component under scrutiny is the Apache Struts Web Framework, an open source software component that is very popular, and in use by thousands of companies big and small. But, it’s important to note that all complex software has bugs – and security vulnerabilities, this is not a problem specific to Apache Struts.

It’s also possible that multiple vulnerabilities were used in some fashion to gain access to the data. We don’t know details at this point in time.

Who Took the Data?

The incident is being investigated by a specialist firm that provides cybersecurity and forensics services. Details regarding who stole the data isn’t publicly available, and the truth is we’ll likely never know.

Can the Data Be Recovered or Invalidated?

There’s certainly no chance to recover the data, as in the realm of digital data, there could be hundreds or thousands of copies worldwide already.

In digital terms, once private data is exposed, it’s exposed forever.

And that is what makes this particular breach significant, so much of the information is not changeable – SSN, Date of Birth, home addresses. There’s no easy path to tell users to change their password or other steps that can invalidate what was stolen.

The other significance of this event is the sheer size – 143 Million records means 44% of the US population are potentially impacted by this.

What Potential Damages Will Consumers Incur From This Incident?

As mentioned above, anyone impacted by this breach is now at a greatly increased risk of Identity Theft. Fraudulent credit accounts, fraudulent income tax returns, and a variety of other damaging incidents are now possible. Consumers will need to be vigilant for fraudulent transactions, may need to procure credit freezes, fraud alerts, or credit monitoring services. If Identity Theft happens, the time and expense to un-do the damage will be significant.

What Damage Will Equifax Incur From This Incident?

Equifax’s reputation and brand standing will undergo intense scrutiny. Consumer confidence is lost. They are already facing a multi-billion dollar class action lawsuit. They will likely undergo intense scrutiny from one or more government institutions and regulators, such as the Federal Trade Comission (FTC). They will probably be blamed (rightly or wrongly – it doesn’t matter) for the majority of Identity Theft that will occur for the next few years.

This will significantly impact their revenue, expenses, and business productivity for years to come.

What Are Best Practices to Help Mitigate Cybersecurity Incidents?

While we don’t know all the specifics of this incident to comment specifically, we can talk in general terms of best practices.

First, we need to talk in terms of how you prevent cybersecurity incidents. The array of threats that can lead to a data breach are diverse. Software bugs or vulnerabilities are only one part of the bigger picture. A defense in depth approach to cybersecurity is needed. Defense in depth means layering best practices to make it difficult for a breach to occur.

And there’s more. But what you require depends on what sort of data you store and use, and how you use it, and what your customers, partners, and industry regulations require.

Another key point from this real-world incident – if your company stores sensitive data it needs a cybersecurity incident response plan. The worst time to put a plan together is during an incident. Equifax is currently taking a lot of heat for a haphazard and poorly conducted response to this incident.

There are many things to consider, and addressing them all would require detailed planning, and a phased project plan for implementation.

Get Help from the Security Experts

We hope this information has been helpful. Your situation and unique requirements will need specific assessment. And remember, we’re here to help. If you’ve got a security or privacy related challenge, reach out to us – we’d love to help. We can assess and advise on your current state of security, as well as help draft a incident response plan.

Contact VO for security help now

IT Support by Virtual Operations

Virtual Operations provides IT support for small businesses in the Orlando and Central Florida area. Our managed IT services offering provides the expertise and quality care your small business needs. Please contact us today to find out how we can help with your computer support and network support needs.

Data breach graphic courtesy of blogtrepreneur.com


Like To Learn More? Send Us A Message or call direct 407.268.6626

Back to Blog

Subscribe to Email Updates

[constantcontactapi formid="1"]

It appears you are viewing this site through an obsolete web browser.

This site was built to comply with modern web standards and relies on features unavailable in browsers that are out of date.

You can learn more about your browser here. And you can learn more about modern web browsers here.

To hide this notice, click here.