Equifax’s Security Progress Since Last Year’s Data Breach Examined
Inside Subprime: July 26, 2018
By Lindsay Frankel
It’s been one year since one of the worst data breaches in U.S. history, when hackers stole financial data belonging to more than 147 million people from the credit bureau Equifax. Since then, the company has faced class action lawsuits, criticism from the Federal Trade Commission, and several new regulations established to ensure security improvements.
Repairing the Damage
Equifax has been working with Jamil Farshchi, their new chief information security officer, to bolster its security approach. The company has spent $200 million on data security since the breach, giving Farshchi the resources needed to transform the bureau’s security program, which former CEO Richard Smith admitted had been lackluster. Equifax did little to defend against or prepare for a possible breach, and Smith acknowledged that both the company’s patching process and data encryption was inadequate. Equifax neglected to apply a critical patch even though it was available for two months before the breach.
A year later, Farshchi is chipping away at the company’s priorities for transforming its approach to security. “We have to harden the perimeter and make sure that we do not have any more weaknesses up front,” he told Wired. This entails improving the patching process and strengthening vulnerability and certificate management. Farshchi has also turned his attention towards bolstering access control protections and designing programs to improve the detection of and response to security threats. He’s also dedicated to building a better security team and training employees in every department to use preventative measures.
Equifax CEO Mark Begor says the company strives not only to remedy the outcomes of the breach but also to set an example for the industry. “Our goal is to create a world-class security program at Equifax and to share what we’ve learned from our own experiences in order to ultimately help our industry better protect and defend against cyberattacks,” he told Wired. “Data security is a long-term battle that will require continued innovation and attention. It will always be a top priority for our company.”
Unlike other corporate data leaks, the Equifax breach exposed data from people who hadn’t chosen to share their information with the company. Many weren’t even aware of how credit bureaus operate or why Equifax had access to their personal data. In response, Equifax is working on reviving outreach and education. But even as consumers become more knowledgeable about credit bureaus, they will be unable to withhold their private information from these companies.
Ira Rheingold of the National Association of Consumer Advocates noted that consumers find this lack of choice concerning. “You are Equifax’s commodity, and the fact is you have minimal control over what data they hold. That’s what their business model is,” she said, adding that consumers would likely opt out of sharing their information with Equifax if they could.
Equifax claims to be committed to revamping their approach to security and has even signed an agreement with state regulators to focus on specific improvements and submit progress reports every month. Julia Houston was hired as the chief transformation officer, a role created to address the breach. She noted significant progress and new attitudes towards security. ” It’s important for people to understand the seriousness with which we’re taking our remediation efforts, the investments that we’re making in data security, and the seriousness with which we see our obligation to the data that’s been entrusted with us,” she said.