Equifax Data Breach: The Point of No Return
Steven Minsky | Sep. 13, 2017
On September 7, big-three credit reporting company Equifax reported[i] that hackers gained access to the personal information of about 143 million U.S. consumers. This scandal will be bigger than the Wells Fargo, BP, Chipotle, Volkswagen and Bernie Madoff scandals combined.
The Equifax breach is unprecedented in both quantity and quality. It is second to none in terms of how many Social Security numbers were compromised, dwarfing all preceding attacks 10 to 1. But more importantly, this attack is unique in that it directly connects our Social Security information to all of our banking and credit card accounts along with other key identifiers like birth date, address and driver’s license. Not only can anyone’s identity be more easily impersonated, but all existing accounts including checking and savings accounts can easily be drained up to the maximum limit.
I have written about data breaches in the past, my main point being that they are all offenses of ineffective and negligent risk management, which are preventable with enterprise risk management. I have written about corporate scandals of all kinds, my main point being that they all share the same root cause: a failure to ensure that corporate policies are effective from the operations of the organizations all the way to the vendors they partner with and outsource to. In all cases, I have contended that companies will suffer most from the reputational damages of their risk management failures, far above and beyond the immediate financial, legal, and compliance consequences.
These points are yet again directly applicable to Equifax. However, because of the sheer scale and unique nature of this breach, it will also impact the integrity of our financial infrastructure, national security in terms of money laundering and terrorism and up-end our personal lives like we have never seen before.
I predict that in addition to all the class action lawsuits, congressional investigations and financial penalties Equifax will pay, that this is truly the point of no return for enterprise risk management. The focus will soon shift to the banks, stores, and other organizations that do business with Equifax and other data brokers. After all, these institutions are the ones that gave away our information to Equifax without doing due diligence on their part to ensure that our information would be safe.
This scandal, the outrage the country is feeling right now, and the actual damages and level of distrust Equifax has instilled in us will be a contagion that will spread to each and every organization. For too long, corporations have been too complacent in ensuring their policies for their organization and their partner supply chains are effective. Regulators have not held senior management as accountable for risk management as required, and individuals have not been motivated and focused enough to express their outrage at a level that creates change, until now.
The scandal is no longer only about Equifax, it is about the way we think about risk management and our expectations of adequate corporate risk responsibility. Customers will put their money and their loyalty only where it’s safe. It follows then that organizations will need a way to prove that they are safe havens for their customers’ security. Therefore, the Equifax data breach will be a watershed moment when CEOs and boards of every company facing intensified scrutiny, will finally be demanding more effective enterprise risk management, and not just talking about it.
The Equifax data breach is a failure in risk management
Equifax reported[ii] that the hackers behind the attack “exploited a U.S. website application vulnerability to gain access to certain files.” According to a report by William Baird & Co.,[iii] that vulnerability was in a popular open-source software package called Apache Struts, a programming framework for building web applications in Java.
As with all risk management failures, the blame cannot be displaced onto technology, one business area, or another company. As a corporation that deals with the personally identifiable information of 200 million U.S. customers, Equifax has a legal and moral responsibility to adopt an effective risk management program that ensures their customers’ security. Equifax alone is responsible for identifying and mitigating the risks associated with their assets, including the sites they use and the third parties they work with.
Equifax is now scrambling to contain the legal and financial fallout.[iv] Two class-action suits have been filed along with a congressional investigation. I believe that Equifax will be found negligent in its enterprise risk management responsibilities, and in failing to identify and act on known weaknesses in its data security risk management.
Equifax alone is responsible for identifying and mitigating the risks associated with their assets, including the sites they use and the third parties they work with.
I believe with high confidence, as it is with all corporate scandals, that it will be determined that the Equifax vulnerability was known ahead of time and preventable.
Of course, Equifax is not the only guilty corporation in this regard. The security researchers who discovered the bug warned that the affected application is used by 65% of Fortune 100 companies. And according to the Identity Theft Resource Center,[v] 975 serious breaches were verified to have taken place YTD in 2017 affecting 19,367,773 records that contain Social Security numbers, financial account information, or sensitive medical information.
Not enough organizations have adopted an enterprise risk management approach to cyber security in order to operationalize their internal cyber policies across the enterprise and monitor their effectiveness with end users and their vendors which is needed to assess, mitigate and monitor activities across business silos.
Consumers and investors are demanding more effective risk management. There are banks, stores and organizations out there that are doing their due diligence and implementing responsible measures to keep your information safe. These are the institutions that deserve our business.
The contagious damages of the Equifax data breach
We’ve discussed the havoc reputational damages have wreaked on large corporations before, most recently regarding Wells Fargo.[vi] The wide-spread and irreparable nature of these damages are once again applicable to Equifax.
The day after the breach, shares of Equifax fell 14%.[vii] What is unique about these reputational damages is that while customers cannot always control whether they are customers of Equifax, they can control the banks, stores and other businesses they give their patronage and loyalty to. After all, it is these institutions that gave away our information to Equifax without instituting appropriate third-party risk management monitoring over who they gave it to.
To bring this home, let’s look at the impact of the breach for the typical consumer. The average recovery time spent from identity theft is 175 hours and victims spend an average of $1,400 in out-of-pocket expenses. While tempting, the consumer cannot associate these losses with Equifax, but with the financial services institutions that have our business today.
I believe customers’ outrage will cause a massive shifting of funds and business to those institutions that can demonstrate competent enterprise risk management. Whether Equifax will survive this incident remains to be seen, but I believe that consumers and investors in addition to regulators will start scrutinizing the risk management practices of the banks, stores and other organizations they do business with.