Data security is the silver bullet. Since the beginning of the year we’ve been proselytising about cybersecurity in our blogs and detailed the associated breaches, or at least the biggest ones, and we’ve bandied around figures including this one from February:
80% of businesses experience a security incident every year. The average cost to put it right
is around £3 million and two-thirds of SMEs go out of business within six months of a data breach
Unfortunately sometimes, three million quid doesn’t even scratch the surface. In fact, for the Equifax breach of 2017, £3m wouldn’t have got them very far.
The Equifax Facts
As we always do, let’s explore exactly who Equifax is…
Well, they’re one of the world’s largest data analytics, credit reporting and technology companies. The company has it’s HQ in Atlanta, Georgia and it employs roughly 10,500 people. It is a member of the Big Three credit agencies that include Experian and TransUnion and in 2017, revenue was $3.36bn. The market cap of the business is somewhere north of $15bn.
The company was happily doing its thing until July 29th 2017 when they discovered they had been subjected to one of the biggest and most destructive data breaches in history. But how, and wasn’t there a warning in 2016?
Yes there was. In fact around six months before the data breach, a security researcher looking at Equifax’s servers noticed that an online portal created only for employees was accessible on the open internet.
He or she decided to stay anonymous for professional reasons but their report on the online channel Motherboard was utterly damning in its simplicity:
‘I didn’t have to do anything fancy, all you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app.’
The researcher explained that site was vulnerable to a ‘forced browsing’ bug and in total, he or she downloaded data on hundreds of thousands of Americans to show Equifax where the vulnerabilities in their systems were. They could have got everything in under 10 minutes. The last sentence of the quote was the worst…
‘I’ve seen a lot of bad things, but not this bad.’
Just How Bad Is Bad?
It was bad. Real bad, to the tune of…
Names – 146,600,000
Dates of birth – 146,600,000
Social Security numbers – 145,500,000
Addresses – 99,000,000
Genders – 27,300,000
Phone numbers – 20,300,000
Driving license numbers – 17,600,000
Email addresses – 1,800,000
Credit card numbers & expiry dates – 209,000
Tax IDs – 97,500
Driving license states – 27,000
And it didn’t end there. Government-issued identification documents uploaded to the Equifax dispute portal accounted for another 56,000 including driving licenses, Social Security and TaxID cards, passports, military ID cards, state-issues ID cards and resident alien cards.
Roughly speaking, that’s about half the adult US citizens on the most recent census. It also affected 20,000 Canadians and 15 million Brits.
It was a catastrophe of unprecedented proportions.
According to an article in fortune.com, ‘The GAO [General Accounting Office] report confirms that a single Internet-facing web server with out-of-date software led to the breach, which went undetected for 76 days. Attackers made 9,000 queries that were unnoticed due to a failure to keep a network-data inspection system up to date. It hadn’t worked for 10 months before staff noticed. And attackers accessed a database that contained unencrypted credentials that they used to access other internal databases.’
In terms of the value of the data, this was a major score for the cyber criminals responsible. On the dark web, a driver’s license can fetch up to $20 according to Director of Security and Architecture at Keeper Security Patrick Tiquet and while Social Security numbers only go for about a dollar each, if you’ve got 145 million of them, that makes for a decent payday.
Can We Have The Bill, Please…
If you’re Equifax, or indeed any of the behemoth corporates who have been victims of huge data breaches over the last few years, it doesn’t make for pretty reading.
So far, the bill is a frankly eye-watering $1.35bn, or in old money a dribble over a billion quid.
Their Q1 earnings statement said that the number ‘related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.’
They recouped $125m from an insurance policy (save for an excess of $7.5m) but the breakdown of what they’ve had to shell out in the first three months of 2019 is as follows:
$690m for ‘accrual for legal matters’
$82.8m for ‘technology and data security’
$12.5m for ‘legal and investigative fees’
$1.5m for ‘product liability’
As well as this accumulative figure of $786.8m, a further $68.7m was spent in Q1 2018. In an article by Phil Muncaster in infosecurity-magazine.com, he details what the money was spent on.
‘Its technology and data costs “include incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert,’ the company explained in its Q1 results. ‘These include people, services and direct product costs.’
‘The legal costs relate to payments to lawyers and professional services companies to investigate the incident and respond to legal, government, and regulatory investigations and claims. Product liability costs relate to its paying for free credit monitoring for customers.’
Notwithstanding this colossal amount of money spent on fixing the data breach, the UK’s Information Commissioner’s Office (ICO) fined the company the maximum possible – £500,000 – in response to the failings that led up to the ‘incident’ and they got a proper telling off from commissioner Elizabeth Denham.
‘The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.’
If the ‘incident’ would have happened after the May 2018 GDPR regulations had come into force, the fine, according to some sources, could have been closer to $1.5bn.
Succinctly put by Phil Muncaster – ‘The latest revelations can be seen as a cautionary tale of what happens when organizations fail to implement adequate cybersecurity.’
If you don’t want to ‘do an Equifax’, email us today on firstname.lastname@example.org or call 020 7078 0789.