Equifax Data Breach: The Point of No Return


On September 7, big-three credit reporting company Equifax reported that hackers gained access to the personal information of about 143 million U.S. consumers. This scandal will be bigger than the Wells Fargo, BP, Chipotle, Volkswagen and Bernie Madoff scandals combined.

The Equifax breach is unprecedented in both quantity and quality. It is second to none in terms of how many Social Security numbers were compromised, dwarfing all preceding attacks 10 to 1. But more importantly, this attack is unique in that it directly connects our social security information to all of our banking and credit card accounts along with other key identifiers like birthdate, address and driver’s licenses. Not only can anyone’s identity be more easily impersonated, but all existing accounts including checking and savings accounts can easily be drained up to the maximum limit.

I have written about data breaches in the past, my main point being that they are all offenses of ineffective and negligent risk management, which are preventable with enterprise risk management. I have written about corporate scandals of all kinds, my main point being that they all share the same root cause: a failure to ensure that corporate policies are effective from the operations of the organizations all the way to the vendors they partner with and outsource to. I have also always contended that companies will suffer most from the reputational damages of their risk management failures far above and beyond the immediate financial, legal, and compliance consequences.

These points are yet again directly applicable to Equifax. However, because of the sheer scale and unique nature of this breach, it will also impact the integrity of our financial infrastructure, national security in terms of money laundering and terrorism and up-end our personal lives like we have never seen before.

I predict that in addition to all the class action lawsuits, congressional investigations and financial penalties Equifax will pay, that this is truly the point of no return for enterprise risk management. The focus will soon shift to the banks, stores and other organizations that do business with Equifax and other data brokers. After all, these institutions are the ones that gave away our information to Equifax without doing due diligence on their part to ensure that our information would be safe.

This scandal, the outrage the country is feeling right now, and the actual damages and level of distrust Equifax has instilled in us will be a contagion that will spread to each and every organization. For too long, corporations have been too complacent in ensuring their policies for their organization and their partner supply chains are effective. Regulators have not held senior management as accountable for risk management as required, and individuals have not been motivated and focused enough to express their outrage at a level that creates change, until now.

The scandal is no longer only about Equifax, it is about the way we think about risk management and our expectations of adequate corporate risk responsibility. Customers will put their money and their loyalty only where it’s safe. It follows then that organizations will need a way to prove that they are safe havens for their customers’ security. Therefore, the Equifax data breach will be a watershed moment when CEOs and boards of every company facing intensified scrutiny, will finally be demanding more effective enterprise risk management, and not just talking about it.

The Equifax data breach is a failure in risk management

Equifax reported that the hackers behind the attack “exploited a U.S. website application vulnerability to gain access to certain files.” According to a report by William Baird & Co., that vulnerability was in a popular open-source software package called Apache Struts, a programming framework for building web applications in Java.

As with all risk management failures, the blame cannot be displaced onto technology, one business area, or another company. As a corporation that deals with the personally identifiable information of 200 million U.S. customers, Equifax has a legal and moral responsibility to adopt an effective risk management program that ensures their customers’ security. Equifax alone is responsible for identifying and mitigating the risks associated with their assets, including the sites they use and the third parties they work with.

Equifax is now scrambling to contain the legal and financial fallout. Two class-action suits have been filed along with a congressional investigation. I believe that Equifax will be found negligent in its enterprise risk management responsibilities, and in failing to identify and act on known weaknesses in its data security risk management. I believe with high confidence, as it is with all corporate scandals, that it will be determined that the Equifax vulnerability was known ahead of time and preventable.

Of course, Equifax is not the only guilty corporation in this regard. The security researchers who discovered the bug warned that the affected application is used by 65% of Fortune 100 companies. And according to the Identity Theft Resource Center, 975 serious breaches were verified to have taken place YTD in 2017 affecting 19,367,773 records that contain Social Security numbers, financial account information, or sensitive medical information.

Not enough organizations have adopted an enterprise risk management approach to cyber security in order to operationalize their internal cyber policies across the enterprise and monitor their effectiveness with end users and their vendors which is needed to assess, mitigate and monitor activities across business silos.

Consumers and investors are demanding more effective risk management. There are banks, stores and organizations out there that are doing their due diligence and implementing responsible measures to keep your information safe. These are the institutions that deserve our business.

The contagious damages of the Equifax data breach

We’ve discussed the havoc reputational damages have wreaked on large corporations before, most recently regarding Wells Fargo. The wide-spread and irreparable nature of these damages are once again applicable to Equifax.

The day after the breach, shares of Equifax fell 14%. What is unique about these reputational damages is that while customers cannot always control whether they are customers of Equifax, they can control the banks, stores and other businesses they give their patronage and loyalty to. After all, it is these institutions that gave away our information to Equifax without instituting appropriate third-party risk management monitoring over who they gave it to.

To bring this home, let’s look at the impact of the breach for the typical consumer. The average recovery time spent from identity theft is 175 hours and victims spend an average of $1,400 in out-of-pocket expenses. While tempting, the consumer cannot associate these losses with Equifax, but with the financial services institutions that have our business today.

I believe customers’ outrage will cause a massive shifting of funds and business to those institutions that can demonstrate competent enterprise risk management. Whether Equifax will survive this incident remains to be seen, but I believe that consumers and investors in addition to regulators will start scrutinizing the risk management practices of the banks, stores and other organizations they do business with.

For more information about leveraging ERM to protect your company from cyber risk, watch our on-demand webinar: How to Manage Your Cybersecurity Risks

Another option is to join the online Cyber Exposure Management Course Series.

Here are the options:

Option 1. Understanding Cyber Exposure - For Beginners

Option 2. Advanced Cyber Exposure Management

– Part 1 - Identifying Cyber Exposures 
– Part 2 – Cyber Exposure Program Management

Option 3. A Bundle of all 3 courses - 35% off the original price - ...

(most cost effective option)

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!