Richard Parris, CEO and Chairman, Intercede

In another stark warning about the inadequacy of major companies’ abilities to secure their data, Equifax US has announced a cyber security breach potentially affecting over 143 million US consumers which some insiders look as if they have used to enrich themselves.
The company claimed that criminals exploited a US website application vulnerability to gain access to key data of their customers. Based on the company’s investigation, the unauthorised access occurred, the company said, from mid-May through to July 2017. The company has found no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases.
However, three Equifax senior executives sold shares worth almost $1.8 million in the days after the company discovered the security breach according to Bloomberg.

Equifax said last Thursday that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on 2nd August. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in a statement to Bloomberg. They “had no knowledge that an intrusion had occurred at the time.”

Equifax said in its statement that intruders accessed names, Social Security numbers, birth dates, addresses, and drivers license numbers, as well as credit-card numbers for about 209,000 consumers. The incident ranks among the largest cyber security breaches in history.
Equifax shares tumbled 13 percent to $124 in extended trading at 7:49 p.m. in New York.

Recent conducted by Intercede found that 86% of systems administrators within major enterprises – those people that hold the keys to an organisation’s kingdom – are using basic password authentication to protect data. What’s more, 50% of respondents admitted that business user accounts in their organisations were ‘not very secure.’

This is just no longer acceptable

Richard Parris, CEO and Chairman, Intercede said: “It’s no surprise, then, that we see hack after hack. But it’s no longer acceptable to put customers at risk, advising them to ‘change or use complex passwords’ when passwords are the root cause of the majority of data breaches today. Businesses have been warned that current security methods are no longer enough to fend off cyber criminals and it’s us – the general public – that is left to wonder who has access to our data and which of our online accounts will be compromised next.

“The right security methods are out there – strong authentication that incorporates multiple levels of authentication such as PIN numbers, devices, and biometrics. This makes it much more difficult for cybercriminals to hack into systems. But it appears businesses are getting lazy and lack the volition to make change. Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears. Businesses will have no choice but to sit up and listen as GDPR comes into effect next year, but it’s reproachable to see businesses continuing to play fast and loose with our personal information until something bad happens to them.”

The information accessed includes names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.
Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. The company has found no evidence that personal information of consumers in any other country has been impacted but that possibility is not fully ruled out.

Breach discovered in July

Equifax discovered the unauthorized access on July 29 of this year and said that it acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continued to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and chief executive officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Howeveer, Etienne Greeff, CTO and Co-Founder of cybersecurity firm SecureData disagreed: Today’s news on the hack against credit reporting firm Equifax is a textbook example of how not to handle a data breach effectively. Over half the population of America was put at risk, not to mention the vast number of credit cards that were compromised. Yet, despite the severe and far-reaching repercussions of the incident on customers, the reaction from the company has been lacklustre and worrying.

“In response to the breach, Equifax created a website – – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further. What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cyber criminals.

“In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened. With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cyber crime.”

by Bill Boyle
IBS Intelligence Senior Editor