An emerging crises at Equifax
On 8 September, Equifax, an American credit rating firm, disclosed that ‘about’ 143million of its US customers “may have had” their personal information compromised in a security breach after hackers accessed personal data such as social security numbers, birth dates, addresses and credit card numbers between mid-May and the end of July, (when the breach was discovered), by exploiting a “website application vulnerability”.
Spreads to UK
On 15 September Equifax said that in the security breach the hackers had accessed the personal information of “fewer than 400,000” UK consumers. It said data on Britons, including names, dates of birth, email addresses and telephone numbers, were stored in the US due to a “process failure”.
The damage so far
The US Federal Trade Commission, two US Congressional committee chairmen and several US State prosecutors have all announced said they will conduct investigations into Equifax.
On Thursday 7 September, the day before the breach was reported, Equifax’s shares stood at $142.72. On Friday 15 September, they closed at $92.98, a fall of $80.26.
On Saturday 16 September, it was reported (in the Daily Telegraph), (see http://www.telegraph.co.uk/technology/2017/09/08/equifax-hack-britons-data-watchdog-investigates-ukimpact-major/) that Equifax had been warned in April that it was vulnerable to data theft and security breaches after an audit revealed that:
“Equifax’s data security and privacy measures have proved insufficient in mitigating data breach events. The company’s credit reporting business faces a high risk of data theft and associated reputational consequences”.
Equifax is vulnerable to data theft in security breaches. The company’s data and privacy policies are limited in scope and Equifax shows no evidence and data breach plans or regular audits of its information security policies and systems”.
Also on 16 September, Equifax’s chief information officer and chief security officer were both replaced.
Equifax is being investigated by US, UK and possibly other national regulatory authorities, its shares have lost over 50% of their value in a week and two members of its senior management team have lost their jobs. In addition, it’s very likely Equifax will face massive legal claims over the breach.
To say that its reputation has suffered may be a very considerable understatement
Whatever the eventual outcome may be, there’s no doubt this massive data security breach is disaster for this long-established business.
An incident waiting to happen?
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, replacing current EU data protection law (in the UK, the Data Protection Act (DPA)).
The UK’s Information Commissioner, has said: “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
If the article in the Daily Telegraph is correct, it appears that Equifax ticked boxes, but didn’t take its data security nearly as seriously as it could and should have.
This article is intended for informational purposes only, so please don’t rely on it as legal advice!