“As we move into the era of digitalization, are we ignoring the risks that come with it”
The Equifax data breach
In September 2017, Equifax (a consumer credit reporting agency) announced that it was a victim of a cyber security breach with more than 143 million customer records compromised . In October 2017, they announced that a further 2.5 million users may have had their information stolen from the Equifax servers . In the age of digitalization as more and more companies move their assets and operations online, Equifax can serve as a wake up call regarding the importance of understanding the risks associated with this move.
Exhibit 1. Equifax homepage sharing the details of the cybersecurity incident .
Equifax operates in the business to business space providing consumer credit information to its customers, ranging from insurance firms to banks and other financial institutions. While Equifax publicly announced about the breach in September, reports suggest that the hack took place months earlier in May-June 2017  and that Equifax may have even known about the issue as early as July 2017, based on the fact that key executives ended up selling their stock options right after the data breach took place . But were there visible signs that Equifax ignored that might have helped them mitigate the risks and prevent this attack from happening? The hackers exploited a security vulnerability,CVE-2017-5638 , associated with Apache struts, a software framework used by Equifax. The security issue was published on March 10 and was rated as a risk based on a CVSS score of 10 (please see Exhibit 2). Equifax had a lot of time to address the issue and in multiple instances security analysts reported the lack of support for security updates .
Exhibit 2. The security issue that led to the Equifax breach(published on March 10,2017) .
Some lessons to be learned
As a company moves into the digital space, all the positives that come along with it may conveniently drown out all the risks. Equifax made the same mistake and failed to acknowledge the inherent risks that came with the domain that they operated in. The annual report released by the company had zero keywords mentioning the risks associated with data breaches and Equifax may not be the only company at fault in this regard .
Going through the list of all the companies that have had to deal with hacking incidents, from Yahoo to Sony, a common trend that a lot of companies have followed is that they first ignore the issue, then try to hide the issue once they become aware of the consequences and finally try to deny the extent of impact. This is exactly what happened in the case of Equifax as well.
Equifax didn’t have the firewall to protect itself and the fact that they only announced the breach 3-4 months after it took place does not inspire confidence in their ability to even detect fraud, let alone protect against it. Some of the steps that companies exposed to security attacks should do is to understand the industry that they are in and have a well trained security team to keep their systems up to date. As security issues are exposed, it is extremely important to involve the community of white hats, a term used to describe an ethical computer hacker, by setting up bug bounty programs that rewards security experts for finding and reporting risks associated with your system. It is also extremely vital to have pre-set processes to deal with cases of security breaches and be in a position to protect your customers.
Equifax may have been one of the largest security breaches but we have seen security issues affecting a whole range of well reputed companies ranging from JP Morgan Chase to Ebay, LinkedIn and Yahoo. Going through the list of officially reported security vulnerabilities, we can see that there are multiple security issues released every month and it requires a lot of time and effort to get on top of these issues . Companies who have not updated their systems for a while, could find themselves in a situation in which they may have to re-configure a big part of their systems.
As we go forward in this era of digitalization, we need to think about a few questions : Is Equifax a mere representation of an entire range of companies exposed to the risk of security breach? While it is imperative for companies to be aware of the inherent risks and damages which a security incident can cause, how can companies protect themselves in the time of the dark web and tor ? How should companies deal with the aftermath of a hacking attack ?
[Word count : 785]