On September 7, 2017, Equifax Inc. announced a security breach involving the compromise of sensitive personal information of approximately 143 million U.S. consumers. Attackers compromised Social Security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers. This is the kind of information that could help attackers engage in identity theft. This isn’t the largest breach ever in terms of the number of unique accounts; the Yahoo breach involved approximately 1.5 billion accounts. Nonetheless, the fact that the number of affected individuals is approaching half of the U.S. population and involves sensitive information that could be used for identity theft, the Equifax breach is far more concerning than the Yahoo breach.
What caused the breach? The Apache Software Foundation reported on September 9 that attackers compromised Equifax’s systems by exploiting a vulnerability in the Apache Struts Web Framework. It appears that Equifax failed to implement an update that would have prevented the attack. Thus, WIRED magazine is reporting that the Equifax breach was entirely preventable.
The steady stream of news about data breaches emphasizes the importance of rigorous enterprise security programs. The consequences for the breached company are enormous. Companies sued for data breaches are paying staggering amounts to investigate and settle the cases against them. For instance, The TJX Companies set aside $107 million to cover the litigation against it and regulatory actions. Heartland Systems set aside $73.3 million for breach expenses in 2009. The loss of sales, reputation, profit, and ultimately shareholder value may bring a company to its knees. At the time of the Sony breach, for instance, the company’s entire information technology infrastructure was down in order to mitigate the effect of the attack against it. Workers were using personal devices to continue conducting company business.
Patch management is a key aspect of any security program. Enterprises should have systems for regularly updating system and application software. Software manufacturers regularly issue patches and software updates to address security vulnerabilities and improve the ability of the software to resist attacks. Keeping software up-to-date will lower the risk of exploits and malware.
Nonetheless, patch management is only one aspect of enterprise security. Companies should have a comprehensive program of administrative, physical, and technical safeguards to secure sensitive information. Companies have tools at their disposal to manage the risks of data breaches. Moreover, if they take the right steps, they can recover from data breaches and increase the security of their organizations. The Equifax breach underscores the need for companies to review and update their security practices on a regular basis so they can avoid Equifax’s fate.
Stephen Wu wrote A Guide to HIPAA Security and the Law (Second Edition) published by the American Bar Association in August 2016. For more information on the book or managing the legal risks involved with security breaches, please contact Stephen Wu by completing the web form here.