On September 7, 2017, Equifax Inc. announced a security breach involving the compromise of sensitive personal information of approximately 143 million U.S. consumers. Attackers compromised Social Security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers. This is the kind of information that could help attackers engage in identity theft. This isn’t the largest breach ever in terms of the number of unique accounts; the Yahoo breach involved approximately 1.5 billion accounts. Nonetheless, the fact that the number of affected individuals is approaching half of the U.S. population and involves sensitive information that could be used for identity theft, the Equifax breach is far more concerning than the Yahoo breach.
What caused the breach? The Apache Software Foundation reported on September 9 that attackers compromised Equifax’s systems by exploiting a vulnerability in the Apache Struts Web Framework. It appears that Equifax failed to implement an update that would have prevented the attack. Thus, WIRED magazine is reporting that the Equifax breach was entirely preventable.
The steady stream of news about data breaches emphasizes the importance of rigorous enterprise security programs. The consequences for the breached company are enormous. Companies sued for data breaches are paying staggering amounts to investigate and settle the cases against them. For instance, The TJX Companies set aside $107 million to cover the litigation against it and regulatory actions. Heartland Systems set aside $73.3 million for breach expenses in 2009. The loss of sales, reputation, profit, and ultimately shareholder value may bring a company to its knees. At the time of the Sony breach, for instance, the company’s entire information technology infrastructure was down in order to mitigate the effect of the attack against it. Workers were using personal devices to continue conducting company business.