Lessons CEOs Can Learn From The Equifax Hack

Anna Pelova

5 Oct 2017

Cybersecurity, Social Engineering
Lessons From The Equifax Hack

The centralised credit reporting system in the United States and the fact that three companies have the rights to store the personal data of almost every American might have made the Equifax hack predictable. To this date, this is the worst corporate data security breach in our modern history. And there are many lessons CEOs of big or small companies can learn from Equifax’s mistakes.

Knowing your vulnerabilities but not taking action

The Equifax hack wasn’t as advanced as you might think. The script used to run the attack was public and it required minimum programming skills to execute it. It exploited a vulnerability called remote code execution that lets the attacker run anything they want on the server. 

There is even a YouTube tutorial, explaining how to exploit the vulnerability. The CEO of Equifax, Richard Smith, admitted that there was an individual who knew about the portal that needed to be patched but failed to informed the IT team. He also blamed a scanning system. 

But what is even more disturbing is that the sensitive consumer data was stored in plaintext, instead of encrypting it. The CEO also admitted that he met with the IT and security team once every four months. 

Knowing your vulnerabilities but not taking immediate or consistent actions – the high cost of this mistake is now evident. 

Finding out about a security breach and failing to communicate it on time

On July 29th, Equifax found it has been hacked on May 13th. Six weeks later, the public was notified. There could be many reasons why a company might want to take some time before disclosing a hack such as investigating the case and the impact of the breach. 

But the fact that Equifax waited six weeks while high-level executives from the company sold stocks worth $2.2 million prior to informing its customers caused an outrage. What is more, the company recently announced that the hack has actually affected the personal data of 145.5 million Americans, 2.5 million more than the number that was initially announced. 

Corporate reputation aside, a problem of such magnitude exposes hundreds of millions to identity theft and communicating it as soon as possible can be critical.

Not having a good crisis management plan to help affected customers

Every company, big or small, is at risk of being hacked. This is why having a good crisis management plan to minimise the damage of an attack is important. 

Equifax's response was to open a new domain for affected customers –http://equifaxsecurity2017.com. And with this action, the company just made itself and its customers even more vulnerable. It opened a lot of opportunities for speculation and phishing attacks and setting up similar domains such as http://securityequifax2017. 

The website was asking users to submit the last four digit of their social security number to check if they have been affected by the breach. Wired reports that even the company's official Twitter account mistakingly tweeted a phishing link four times. The fake site had roughly 200,000 hits. 

Luckily, the page wasn't malicious and it was set up to prove how easy it was to hack Equifax, again. It was evident that the company didn't have a good crisis management plan or a well-coordinated incident team to help affected customers, even if it announced that it has formed a special committee to focus on the issues arising from the breach

It did offer help to affected customers but that came with strings attached – giving up the rights to sue the company. Only after facing public pressure, Equifax allowed users to opt-out of the arbitrary requirement. 

Retiring with millions after the catastrophe 

Resignations are a usual response after corporate incidents. But when Richard Smith decided to retire following the breach, Equifax was once again in the headlines. 

According to Fortune, the CEO has accumulated over $18.5 million in retirement benefits that he will surely receive when stepping down. And that number can go up to $90 million. This is one more reason for the affected users to feel frustrated. 

blog comments powered by Disqus