Was Equifax’s Data Disaster Caused by Subpar Staffing?

(~500 words, 3rd person)

September 2017 will go down as perhaps the darkest point in Equifax’s history.

The multinational credit reporting giant, which ranks in the top three of its industry, suffered a massive data breach that compromised the personal information of 147 million people from the U.S., U.K., and Canada.

It’s an incident that cost them millions of dollars, but the damage to their reputation is a debt they may never be able to pay off.

It all started when Apache Struts, the open-source framework Equifax used for managing credit disputes, issued a key security patch to address a security vulnerability on March 7, 2017. Users were urged to install the patch immediately, with evidence that hackers were already trying to target unpatched sites just a few days later.

When they breached unpatched Equifax systems, they went after employee credentials first, which allowed them to gain access to even more information. The group scanned Equifax’s databases more than 9,000 times, effectively covering their tracks for 76 days before Equifax finally discovered the breach on July 29.

However, the company did not disclose the incident until September 7. While some claimed the lengthy wait made the situation worse, Equifax officials maintained they were working to understand the full scope of the damage.

The full scope included news that birth dates, addresses, driver’s license numbers, Social Security numbers, and credit card numbers were exposed.

It didn’t help that company executives were found to have sold millions in stock after learning of the breach but before announcing it. After the story went public, the stock price dropped substantially.

While their lack of urgency to install the security patch was the primary reason for the disaster, other issues exacerbated it – this included poor network segmentation, possible inadequate encryption, and ineffective mechanisms to detect breaches.

How could such a massive company, in a field that’s a hacker’s goldmine, have such glaring security shortcomings?

The curious credentials of the company’s (now former) “Chief Security Officer” could tell the tale – or sing it. Ms. Susan Mauldin holds a bachelor’s degree and master of fine arts degree in music composition – with no formal cybersecurity credentials to speak of.

Both she and the former CEO Richard Smith have since stepped down. Smith was grilled on why she was put in such a position. Mauldin was not questioned herself – her LinkedIn page was made private during this time, her last name replaced with only “M.”

While the $400M+ settlement came with free credit monitoring for those impacted, even this gesture presented its own security concerns. The poor design of the site set up to let consumers know if they were affected led to it being classified as a phishing site by some security systems.

It was also accused of returning random information rather than accurate results, and there were also concerns that the terms of use bound anyone who used the site to an Equifax arbitration clause, though this was later removed.

In one final blunder to top off the spectacular security mess, Equifax had accidentally been linking to an imitation website instead of their own breach notification page. Their eight tweets promoting the wrong link got the fake site about 200,000 hits.

If they don’t have a future in credit monitoring, perhaps they could enter the marketing or music fields.