The Equifax hack will go down as one of the largest security breaches of 2017. Sensitive information belonging to at least 143 million Americans and Canadians is now in the hands of criminals. The Equifax hack saw phone numbers, credit card numbers, social security numbers, driver’s license numbers and more lost in an instant. It’s sort of mind-boggling to think an institution that large and with so much power over your credit scores could be so irresponsible.
So the question arises. Could the Equifax hack have been avoided? If it could have been avoided, what could have been done differently? Mike Shultz, CEO of Cybernance, a cyber governance company that identifies security issues with companies’ people, processes, and policies that might lead to breaches like this one, weighs in.
“This breach is totally inexcusable. This wasn’t a technical assault – this was a simple access by hackers through a web application that was not properly secured. This critical breakdown of internal defenses is no different than every major breach of significance in the past two years, but the sensitive information accessed points to extreme danger for the personal wealth and financial health of our economy. This is the 9/11 moment that the NIAC has been warning about.
Commercial enterprise is the front line of defense against hacking, and the 143 million records compromised suggests every family in the U.S. is affected. The bad guys now have your financial information, your employment history, your children’s names, what school they attend – this is a tsunami of personal risks to all U.S. citizens, not just the 44% who were directly affected. It is inconceivable the amount of information these firms hold, and the long-term effects are massive. How do you get a job or buy a house when the U.S. economy has been compromised? This goes down to the fiber of the United States, and a breach of this caliber has the potential to freeze the credit reporting system, the banking system, and do major damage to the global economies as a whole.
What’s the solution?
The government has clearly endorsed the use of the NIST Cybersecurity Framework to strengthen enterprises from this devastating caliber of risk by focusing on people, policies, and processes. Had NIST CSF been employed by Equifax, this breach would not have happened. Further, the government provides protection for companies who use NIST and designated technology covered by SAFETY Act. These functions are in recognition of the risk to the U.S. economy from breaches just like this – this is no longer a suggestion, it is a necessity. It is the fiduciary duty of every C-suite and board of directors to act with reasonable business judgment to protect private information of consumers, and the fact that proper security measures were not set in place and consumers’ information has been held for weeks without notice means that responsibility has not been upheld. The FBI’s involvement since the breach was identified in May, and their offering of one-year protection for every citizen in the U.S. also suggests that the ripple effect of this breach may be even greater than we’re aware. With the massive epicenter of today’s announcement, it is reasonable to assume that every board of directors and C-Suite has also been breached. Perhaps now they’ll get serious about defending personal information – or suffer the severe financial, reputational and personal consequences now being faced by companies like Yahoo.”