Equifax just suffered what may be one of the biggest and most potentially damaging data breaches in history, and security experts are saying that the breach was probably preventable.
The credit bureau said Thursday that it learned July 29th that hackers had compromised the personal data–including credit card numbers, social security numbers, and birthdates–of 143 million US consumers and an unspecified number of UK and Canadian customers, in a breach that occurred sometime between mid-May and July. The credit cards of 209,000 U.S. customers were compromised, as well as personally identifiable information on 182,000 people involved in credit disputes.
Equifax chairman and CEO Richard F. Smith called the breach “disappointing.”
“This is a terrible story,” said Cooper Levenson attorney and security expert Peter Fu. “No one entity should ever have all of our personal data in a single breakable point of entry.” The sheer volume of the loss suggests hackers were able to quickly grab huge chunks of data in a “catastrophic” breach, Fu says.
While law enforcement is keeping the technical details of the breach quiet for the moment, the available facts strongly suggest Equifax may not have been following accepted security guidelines.
Fu points out that the Payment Card Industry security guidelines used by banks and credit card companies require that companies keep billing information (names, addresses, social security numbers, etc.), financial information (credit card numbers), and miscellaneous supporting documents in separate secure places.
“You’d expect the company to be at the extreme end of the security spectrum given it is their business to aggregate highly sensitive data and keep it secure,” says Randy Battat, cyber security expert and founder/CEO of PreVeil.
“This case highlights more than ever the need for a system that eliminates central points of attack and protects business data even when the servers are compromised,” Battat said.
Fu says it could be meaningful that Equifax broke out the exposed data into three different types–the personally identifiable data, the personal financial data, and the email and other correspondence about credit disputes. It suggests Equifax may at least have segregated the data by type.
“Either Equifax put everything in one big bucket or they suffered such a catastrophic attack that multiple buckets were compromised simultaneously,” Fu said. Normally, if a hacker breaches one server, the other servers automatically shut down, Fu says.
Still, because Equifax collects so much data, each of those buckets was very big, and a very big target. Large organizations often choose to keep massive piles of data in one spot so that it can be searched and accessed easier.
Equifax should have seen this coming from miles away, analysts and security researchers say.
Partly that’s because the credit bureau was the target of another serious data breach back in 2013. Equifax learned of the breach after hackers posted online social security numbers, credit reports, and other information about celebrities and government officials including Michelle Obama.
“After the breach debacle that Equifax went through in 2013, just four years ago, there is no conceivable excuse in the world for this kind of failure to happen again,” says Dr. Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers (IAITAM). She said that “Equifax handles some of the most sensitive consumer information in the United States” and had “permitted what is perhaps the worst breach of consumer information in our nation’s history.”
The Equifax breach is still not the largest: In the past year, Yahoo has disclosed that over 1.5 billion user accounts had been hacked in attacks in 2013 and 2014.
Fu points out that the Equifax is different from other landmark breaches because much of the data on Equifax’s servers doesn’t come from consumers themselves. It comes from credit card companies, banks, and retailers.
That means that many of the victims of the massive breach probably don’t realize they are victims. And to find out if they are impacted using a new Equifax website, victims were asked to turn over part of their social security number. And to receive help from the company—a year of free credit monitoring and identity theft protection—customers were asked to sign an arbitration clause that appeared to prevent them from suing the company. Equifax clarified today that it will not require impacted consumers to forfeit their right to join a class action lawsuit against the company.
Now, one of the many questions for everyone involved in one of the biggest data breaches in history is just how big that lawsuit will be.