Lessons From The Equifax Data Breach

Hodgson Russ LLP

Hodgson Russ LLP

On December 10, 2018, the House Oversight and Government Reform Committee Republicans released a report on the Equifax data breach. The data breach, which Equifax announced in September 2017, ultimately affected 148 million individuals and involved the compromise of personal information including Social Security numbers, addresses, and credit card numbers. The breach resulted from a cyberattack, which started in May 2017 and lasted for 76 days, with hackers trying to obtain remote control over the company’s network. The hackers ultimately found a file containing unencrypted credentials, which allowed them to access multiple databases. After obtaining personal information from these databases, the hackers moved the data out of Equifax’s system, which Equifax did not realize because the device used to monitor network traffic had been inactive due to an expired security certificate. It wasn’t until July 2017 that Equifax updated the certificate and noticed the web traffic.

The Committee found that this breach was entirely preventable because Equifax failed to appreciate and mitigate its cybersecurity risks. It noted that the company did not implement clear lines of authority within their IT department, leading to a gap between policy development and operation. This critical gap led to the company allowing multiple security certificates to expire. The company also failed to implement updated IT systems, which the Committee blamed on an aggressive growth strategy, which involved the company’s acquisition of multiple companies with different IT systems. And, after the breach occurred, the company was unprepared to support affected consumers. Its dedicated breach website and call centers were overwhelmed, leaving consumers without the ability to timely obtain information about their vulnerabilities.

While few companies hold the amount of data that Equifax does, the deficiencies in Equifax’s IT security were basic and easily fixed. Simply ensuring security certificates were up to date could have prevented this massive breach. Equifax is an example of why companies that hold any personally identifiable information – regardless of volume – must be vigilant in protecting the data and seeking regular assistance in ensuring that they are using the best methods available to protect their customers.

Here is a link to the Committee’s Report: https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hodgson Russ LLP | Attorney Advertising

Written by:

Hodgson Russ LLP

Hodgson Russ LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.