Don’t Be Equifax

Man in a Convertible
Commerce From Your Car
February 4, 2020
Cash with a calculator
Is It Worth It To Run A Cash-Only Business?
February 18, 2020
Man in a Convertible
Commerce From Your Car
February 4, 2020
Cash with a calculator
Is It Worth It To Run A Cash-Only Business?
February 18, 2020

If you read our blog you know that we stress the importance of PCI Compliance. It is necessary for you, the merchant, to stay in business and it helps to safeguard your business and your customer’s information. We’ve been over what you should do if you are a victim of a data breach, and while we hope that you never have to deal with that (maintaining PCI Compliance all year round can help you avoid this!) we occasionally go over the worst-case scenarios of what could happen with a data breach.

Today, we’ll focus on one of the most prominent data breaches of the past few years and the fallout from it. While your business is certainly not on this scale we hope that this could let you know what could happen when a data breach happens and you can learn what not to do to avoid their fate.

Equifax

In 2017 the consumer credit reporting agency Equifax suffered a major data breach. In fact they suffered two major breaches during the 2017 calendar year, despite warnings of their insecure system coming several months before. As a credit monitoring service Equifax had the private information of millions of the Americans like their name, birthday, social security number, credit card numbers and more, all lucrative targets for cyber criminals. 

Their systems were breached first in March and then by the same people in May, June and July, later determined to be hackers employed by the Chinese military. The personal information of over 145 million Americans as well as millions of foreigners was stolen. The breach was detected in late July and was revealed to the public that September. The breach was made possible by a vulnerability in the web application Apache Struts which had a security patch released in early March but Equifax had not applied the patch yet. The vulnerability was exacerbated by a lack of network segmentation, inadequate encryption and a lack of breach detection mechanisms.

The Fallout

The fallout was immediate. Customers were advised to freeze their credit reports and the company’s stock dropped 13% immediately. Lawsuits followed quickly from companies and individuals. The company’s CIO and CSO both lost their jobs. A government probe followed. In the summer of 2019 Equifax, the FTC, the CFPB, 48 US states, Washington DC and Puerto Rico reached a settlement where Equifax will pay $575 million in civil penalties and to compensate people affected by the breach. If that figure is not enough it could rise to $700 million.

Equifax will also have to submit to annual tests to address its system’s vulnerability and risks to the system. These tests will also ensure that all security updates and patches are applied. Equifax will also be charged with making sure its third-party vendors are also keeping their systems up to date and secure. Audits will be performed every two years and the testing must be approved by the FTC. 

Since the perpetrators were in the employ of the Chinese military it is doubtful that they will ever be brought to justice.

How Does This Affect You?

Now, obviously your business is not Equifax. It is not as big and probably not as prominent. But every year the failure to apply security updates and patches leads to data breaches all over the globe. This breach was entirely preventable and most, if not all of them are. If the security patch had been applied promptly this could have been avoided. This goes for Equifax and it goes for your business. Keeping your computer systems up to date is a core part of PCI Compliance and Equifax is paying for that. It was a potentially $700 million mistake.

While you may not be facing a fine in the hundreds of millions of dollars you will face fines and have other hurdles placed in front of you in order to stay in business. A data breach will cost you money. It may not be as much as Equifax but it will be a significant sum of money and that could cost you your business.

Don’t get caught like this. Achieve PCI Compliance and maintain it all year round. If you do, the chances of this happening to you will dramatically decrease. You will sleep better at night knowing that you did.