US Credit Rating Company Equifax was hacked last Friday with 143 million customer details stolen, 44 million of which may have come from UK customers.
The hack, which many experts believe is the largest in US history, is thought to have happened after hackers found a way through a vulnerability on the website.
Equifax has received criticism for trying to save money on cyber protection at the expense of customer data-protection and had a lawsuit filed against it in Portland, Oregon for allegedly not maintaining adequate technological safeguards.
Waited 40 Days
What many have found most shocking about the hack is that, not only is Equifax reported to have known about the attack some 40 days before informing the public that it had happened, but that three senior executives at the company (which is a New York Stock Exchange-listed firm) are believed to have sold-off shares worth almost £1.4m before the breach was publicly announced. After the public announcement was made, Equifax’s stock fell by more than 14%.
What Kind of Details Were Stolen?
It is believed that the customer details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver's license details, and also around 209,000 credit card numbers.
Although 44 million is the possible number of UK customer details stolen, it is not clear how much UK customer data was held in the US, and the word from Equifax at the present time is that limited personal information from British and Canadian residents had been compromised in the hack.
The Information Commissioner’s Office (ICO) has now asked Equifax to alert affected UK customers at the earliest opportunity.
It has been reported in some areas of the media that British customers of Equifax include companies such as BT, Capital One, and British Gas may have been affected by the hack.
There May Be Trouble Ahead
The hack may be particularly dangerous for US citizens because they use their social security number for verification of their IDs, and a large number of social security numbers were stolen in the attack.
What Does This Mean For Your Business?
As security commentators have pointed out in this case, there is an awful irony because hackers have been able to compromise the companies that internet users rely on to safeguard their identities and finances. The scale and severity of this hack shouldn’t be underestimated, and it affects the whole credit reporting system in the United States.
Unfortunately, Equifax is likely to have held a lot of data about individuals who are not directly customers as well as storing information about businesses. Equifax hold the data of 820 million consumers and 91 million businesses. Many businesses are direct customers of Equifax, and although the extent of theft of data relating to UK companies and individuals is unknown, it may be wise to take proactive action anyway. This means monitoring your credit report (which will show any credit accounts set up in your name), and reporting any evidence of identity fraud to Action Fraud. You should also be vigilant for any suspicious and unsolicited emails (avoid clicking on links from unknown sources), or phone calls which could be from cyber criminals in the wake of the attack.
This story also illustrates how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities), and should extend to training employees in cyber security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.
Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.
The reported behaviour of Equifax in this case (waiting 40 days before reporting the hack, and some executives selling stock) is clearly reckless and is likely to damage the reputation and brand of the company. The hack itself and the associated problems also illustrate the importance of having workable, updated Business Continuity and Disaster Recovery Plans in place.