The Equifax hack sent shockwaves throughout the US in 2017. What happened, and why was it so serious?
The Role of Equifax
Equifax is a private company that assesses individuals’ and companies’ credit scores in the United States. It analyzes different parameters, such as current loans, to decide whether a person is capable of repaying new debts or not.
To sum up, Equifax compiles private information, analyzes it, and creates a report which it then sells to other companies that need to assess creditworthiness. If Equifax gives you a good credit score, you can take out a loan.
The Equifax Hack
In mid-2017, it came to light that Equifax had fallen victim to a massive data breach, in part due to a vulnerability in the Java Struts framework, which the company hadn’t gotten around to patching. This hack was critical, as it led to a leak of millions of Americans’ personal data:
Names
Postal addresses
Dates of birth
Social security numbers
Driver’s license numbers
Bank card numbers
145.5 million Americans were affected by this data leak—almost half the population. This personal data is now in the public domain and can be used for different types of fraud.
The most worrying data leaked might initially seem to be the bank card numbers, but in fact, the leakage of social security numbers was even more serious. In the U.S., this number is considered a type of private ID. It can be used to open a bank account or apply for a loan, which means that it can be used to ruin someone financially.
For example, if someone knows your social security number, they can take out a loan in your name or submit false tax declarations. You then have to prove that it wasn’t you, and this can be a long and complex process.
As a direct result of this breach, articles explaining how best to protect yourself from social security fraud are legion in the American press. Others recommend frequently checking that no new loans have been taken out in your name. American consumers are paying the price for this hack.
How Equifax Dealt With This Crisis
As well as the hack itself, which had serious consequences for many Americans, the management of the crisis raised many eyebrows:
The hack took place in mid-May but wasn’t discovered until the end of July—two and a half months after it happened.
Equifax only informed the public on September 7, five weeks after they discovered the hack. That’s a very long time for such a significant event!
Meanwhile, the company directors sold off some of their shares, even though they were already aware of the breach. They were consequently prosecuted for insider trading.
The company directors’ reactions and the attempts to play down the seriousness of the event caused a public outcry.
This has been an expensive affair for Equifax: the company has agreed to pay at least $380.5 million to settle the class action lawsuit brought against it.
Let’s Recap!
It’s vital to keep software up to date, particularly to ensure that critical vulnerabilities are fixed (in this case, an outdated version of Struts was to blame).
The time it takes to communicate a hack and the company’s reaction will be closely scrutinized.
In the United States, you only need one number (social security number) as ID to take out a new loan. This is nowhere near secure enough. This case has raised serious questions about the identification system used in the US.
