Computer Science and Informatics researcher Abigail McAlpine comments on credit reference agency Equifax finally having to acknowledge the true extent of the cyber-attack on the company which claimed a data breach affecting 694,000 British customers.
How can Equifax have got it so wrong?
“Equifax admitted that the actual number of UK customers who had their personal information stolen in the major breach in May this year is almost double the initial estimations. The predictions stood initially at “fewer than 400,000” British customers effected, this figure already made the data breach one of the largest on record in the UK. However, this latest revised figure is as a result of investigators discovering more files successfully obtained by the hackers.
The detection of the attack was made on the 29 July and despite the company stating they acted immediately to stop the intrusion, they chose not to release the news of the cyber-attack until over five weeks later in September stating they took this time to investigate the hack.
The initial breach was made to Equifax’s US systems in between May and July, hackers successfully acquired an estimated 143 million customer files in the US. The reason a limited amount of British customer’s data was also available to hackers was initially as a result of a process failure that meant that British customer details were stored in US systems in between 2011 and 2016.
Equifax is a US credit reporting agency hold data for over an estimated 800 million individuals and 80 million businesses globally. Richard Smith the CEO and Chairman of Equifax stepped down as a result of the hack being reported stating “in the best interests of the company”, this outcome comes in conjunction with an almost instantaneous drop in stock of 13% on the day of the announcement.
Data obtained by hackers during the attack included email addresses, passwords, driving licence numbers, phone numbers and more, including partial credit card details of less than 15,000 customers. The company has stated previously that the records obtained did not contain any other financial information, addresses or passwords, however conflicting reports have been made regarding the extent of the information obtained.
The company has stated that it is currently in the process of contacting the British customers effected in the attack, which was revealed four months after hackers targets as estimated 15.2million records in the UK. Customers who receive confirmation from Equifax, regarding the successful hacking of their data, will have access to the seven-day help line and identity protection service and they will also be offered a free account for monitoring services. However, further scrutiny has been placed on Equifax’s attempt to limit their liability for the attack by offering the free monitoring service. The small print in the companies’ terms and conditions of use state that customers who agree to sign up to the monitoring service offered by Equifax also agree to terms that prevent customers from suing Equifax or entering into a class action law suit.
Legally, this data breach has resulted in enquiries by US Congress into how the breach was allowed to happen, how the company responded and how the reaction to the knowledge of the breach was managed.
New potential laws could be put into place to impose uniform procedures and regulations regarding updating victims of data breaches within a timely manner, rather than the five-week delay that Equifax instigated and the questionable timing of stock sales by figureheads within the company during the interim.
In the UK, the Information Commissioner’s Office and the Financial Conduct Authority are also scrutinising the breach and the process failures that resulted in the extended breach of British customer’s data, which should not have been accessible in the recent attack.
The fact of the matter is that due to the nature of the service Equifax offers, even if consumers have not taken up any of Equifax’s services, the company is still likely to hold a lot of personal data about them. Due to the highly personal nature of the information the company stores and has access to, it is expected that there should be technical safeguards in place and a standard duty-of-care for protective procedures. How this hack is dealt with could potentially shape standards for companies who operate in similar and relating fields in future.”
Read the full story.
Posted in Business Computing Tagged in: Abigail McAlpine, British customer details, credit reference agency, cyber-attack, data, Equifax data hack, Financial Conduct Authority, hackers, Information Commissioner's Office, major breach, Richard Smith CEO and Chairman, US credit reporting agency