Posted by: Heather Shy on September 15, 2017 at 2:25 pm
Perhaps, like many, you would think it safe to assume that an entity that gathers our sensitive financial data would have extremely high, if not the highest, levels of data protection. So, when it came to light recently that Equifax, one of the holders and supposed protectors of our most valuable consumer information — the basis of our very financial identities — was hacked, it struck a serious blow to confidence in the financial system and its technology.
After all, aren’t we all warned time and again to protect our Social Security numbers and credit card numbers? That our credit rating is one of the most valuable pieces of our fiscal identity? That we should actively work to improve and protect it?
And now credit for 143 million people are at risk.
What Went Wrong?
Adding to the frustration is the timeline of the events:
- March 6 – Software security patch for Apache Struts released
- Mid-May – Equifax breached
- July 29 – Equifax breach discovered
- August 1 & 2 – Top Equifax executives sell $2 million of Equifax stock (probably completely unrelated; please note sarcasm)
- September 7 – Public notified of the breach
Why didn’t Equifax apply the patch as soon as it was released? While we don’t have any inside knowledge about their network, sometimes a business will delay installing a patch until they can thoroughly test it to see if anything else breaks. In addition, Ars Technica points out that installing this particular patch was far more complex than clicking “Run”:
“…patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.”
Additionally, it’s not unusual for breaches to go unnoticed for a while.
Nothing in this post is meant to defend Equifax, however. This situation should be thoroughly investigated and reparations made to those affected.
At the consumer level, there are a ton of articles on how to freeze and monitor your credit. We definitely advise people to look into these options and decide what works best for them and their family members. (Don’t forget your minor children.) Act quickly.
From a business point of view, if you use your personal credit for business loans or other funding, you will also need to keep a close eye on your credit and finances. You might encounter some extra fees to unlock and relock your credit files for loan officers as needed. Ask your accountant if those are tax-deductible.
In a collision of news stories, anyone who froze their credit and are also interested in the new iPhones that were announced this week, may have to deal with unfreezing their credit in order to use wireless carrier payment plans.
Some of the hacked information will probably be used in phishing and spear-phishing attempts where email scammers target specific contacts within a company by claiming to be managers and executives. They have a few additional tools now that make them look legit, so be extra-skeptical about unusual requests. Double-check the sender’s email address and maybe make a quick phone call to verify before wiring thousands of dollars to a previously-unknown business contact.
Standard security practices still apply and should be used diligently. Don’t open invoices from companies you don’t do business with. Don’t open resumes if you aren’t the hiring contact. Don’t send iTunes cards to someone claiming to be from the IRS. Microsoft will not call you to fix your computer or anything else.
There will probably be phone calls and emails, maybe even letters, from scammers claiming to “fix your credit.” Don’t fall for these.
Train and remind your staff on these common-sense protections so they aren’t giving away protected company data or unwarranted access.
Health providers: beware of criminals attempting to use Social Security numbers to get patient info.
Know your regulatory requirements and make sure these are in place and staff is trained in proper procedures.
RUN YOUR UPDATES. Run security patches. Update your Firefox. Update your Java. Do not use Explorer 8 and think your system will be protected. Update your Windows OS. Update your Mac. Do not use XP or Vista or even Windows 7 on the internet and think your network is safe. Update update update. There is a REASON these updates come out all the time, and your company’s reputation and financial security is on the line.
If your business must approve software security updates through several layers of bureaucracy, review those policies to reduce the time for approvals.
Use LAYERS of security. Firewall, anti-virus, anti-spam, anti-malware, encryption, backups, etc. etc. Require complex passwords and multi-factor authentication.
Follow your industry regulations. Encrypt sensitive data wherever possible. And protect your clients’ information like your business depends on it.
Do everything you can so your company won’t be the next Equifax.