The true weight from the massive Equifax data breach that’s believed to have impacted roughly 148 million Americans is going to be felt for years to come. One year later, there seems to plenty of questions as to how the company dealt with the aftermath, and what it is doing to prevent a breach of such magnitude from occurring again.
The Equifax breach has dominated headlines in the fraud ecosystem not just because of the total number of exposed records, but also because of the scope of what those records entailed. The nature of the sensitive details — including SSNs, credit card details and tax IDs — are what placed the incident on the list of worst corporate data breaches in the U.S.
So what’s happened in the year following Equifax’s discovery of the breach? Besides a lot of public criticism, and new leadership, there’s been a series of congressional hearings and investigations that have left the credit reporting agency in the hot seat since the incident was first reported.
The Financial Impact
The company’s new CSO, Jamil Farshchi reported that Equifax has invested more than $200 million in enhanced security measures. Farshchi is no stranger to massive breach cleanup as he was brought into the Home Depot team after the company suffered a breach that leaked 56 million credit/debit card numbers. The Equifax breach, however, made that breach look small in comparison.
The new $200 million in data security infrastructure is suitable to build a new program to prevent another massive breach from occurring. Still, Equifax has faced plenty of criticism suggesting that the company should have implemented more proactive practices to prevent the breach from occurring. In his latest interviews, he remained optimistic about the company’s future as it relates to protecting itself from more incidents.
“The barriers you face at any company not post-breach is you're always fighting for budget, you're always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you're in a post-breach environment, everyone already knows that it's critically important,” he said in an interview.
The Regulatory Impact
In June of this year, Equifax agreed to a consent order from regulators from eight U.S. states. The order requires the credit reporting agency to provide regular reports on how it is actually improving its security measures. The agreement calls on Equifax to “to take specific action to protect confidential consumer information.” The charge also calls on Equifax’s breach to “remediate the deficiencies and unsafe practices that contributed to the breach.”
On top of those requirements, Equifax has agreed to be open to on-site regulatory reviews, and to be more transparent about how they identify future threats and security vulnerabilities. Equifax has 90 days to comply with those orders, and 30 days to improve how it audits and improve “standards and controls” for managing the software used to increase or update security. All of this will be reviewed by an independent security expert.
From a regulatory standpoint, there has been no true financial impact in terms of fines the company was forced to pay as a result of the breach.
Some states, like Massachusetts, are set to adopt new regulations designed to protect consumers. This bill, which is headed for the governor's desk, provides consumers free credit freezes at any time. It would require businesses that are breached to provide a period of free credit monitoring.
The Public Relations Impact
There have been a number of contentious hearings, but no formal congressional action has been taken against Equifax. The number of critical articles about how the disclosure of the breach, along with the fact that the breach happened in the first place, have kept the credit reporting agency under a microscope for most of the year.
Also contributing to more controversy was the fallout that came when two former Equifax employees were caught in accusations of insider trading charges. That includes Sudhakar Reddy Bonthu, a former software developer for Equifax, has been accused of using non public information to learn about the breach and engaged in activity that made him profit more than $75,000 after the incident was announced. Jun Ying, former chief information officer of Equifax's U.S. Information Solutions, was indicted in March for similar charges and has plead not guilty.
One of the biggest criticisms the company has faced is how long it took to publicly disclose the breach. The big news of the breach was discovered a few months before it was officially disclosed, which was in early September of 2017. This led to a firestorm of criticism on a national level calling on the company to share why it took so long to disclose the details and full reach of the breach. Former Equifax CEO Richard Smith also resigned in September as a result of the breach fallout.
What Banks Should Be Aware Post-Breach
From the reissuing costs of breached cards, to tracking synthetic fraud, the true costs and impact of the Equifax breach won't be known for some time. Synthetic fraud allows hackers to set up accounts in a person’s name that appear to be authentic, but are in fact fictitious. The construction of new synthetic IDs is based on combining truthful and false information to build a credit file and then open new accounts, which is perpetrated at scale by opening hundreds of new accounts.
What matters now for banks and credit unions is how they handle the mess that’s likely to follow as a result of the massive droves of personal credentials hacked. Customers don’t care whose fault the breach was; your customers want to know they are protected by their financial institutions. Trust and the ability to respond quickly matters most during the post-breach stages as large as this one.
As for how financial institutions should change their data breach practices after these events, Rippleshot Co-Founder has two pieces of advice: Ask more from your data processor and get faster fraud alerts. Instead of relying on weekly, or monthly reports, fraud alerts should be delivered in near real time with daily data from credit card transactions within your network.
Financial institutions need tools that give them a quick alert on which cards are compromised on a daily basis, and the option to reset PINs immediately — opposed to the two week-period associated with CAMS alerts. The reason speed matters most when detecting and preventing the spread of fraud is because by the time networks alert banks which cards are comprised, 80 percent of fraud has already occurred.
With fraudsters having access to social security numbers, addresses, email addresses, dates of birth and even credit card numbers, hackers have the ability to open fraudulent accounts, new credit cards and even entire lines of credit. What banks and credit unions have to worry about are trails of credit card fraud that can exponentially impact the rate of which fraud (particularly synthetic fraud) can spread.
To recap, here’s the basic facts of what we know about the breach impact.
Names |
146.6 million |
Birthdates |
146.6 million |
Social Security Numbers |
145.5 million |
Addresses |
99 million |
Driver's License Numbers |
17.6 million |
Email Addresses |
1.8 million |
Credit Card information |
209,000 |
Tax IDs |
97,500 |