Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

8/14/2018
10:30 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Equifax Avoided Fines, but What If ...?

Let's imagine the consequences the company would have faced if current laws had been on the books earlier.

Equifax made headlines around the world in 2017 with a massive data breach of more than 143 million records worldwide. It waited 40 days before notifying consumers of the breach, exposing customers to further risk. And that's not all.

Things went downhill from there, with the CEO, CISO, and CIO retiring or resigning and multiple executives charged with insider trading related to the breach.

All this as the internal processes that led to the breach showed significant failures and a lack of basic awareness of why basic information security practices are in place. Although the company has been working to overhaul its approach to security, critical questions remain.

Why Do They Have My Data?
In the backlash, many customers — especially those in the EU and Canada, where strong privacy laws exist — wondered why a company they had never agreed to do business with was holding all of this personally identifiable information. This naturally leads to a larger question of what role, if any, data brokers should play and how they should be regulated and monitored.

In late June, it was announced that US consumers — the majority of those affected in the breach — would finally see the consequences of Equifax's (in)action.

The result: nothing.

Nothing?
Well, technically, not "nothing," but close enough. Reuters details the consent decree approved by regulators in eight states, including New York, Texas, and California. The required action by Equifax was to complete a detailed assessment of cyber threats, increase board oversight, and improve patching processes for known security vulnerabilities. In essence, security 101.

With the exception of "board" oversight — but not oversight in general — these are all common security basics. They are part of the PCI standard that must be adhered to by any company processing credit card information. However, the data broker that maintains a huge piece of the credit rating marker only now has to step "up" to this level of cybersecurity?

Alternatives
Let's work through a few "what-if" scenarios to explore the potential penalties that Equifax would have to face under various regulations.

1. If the Equifax breach happened under GDPR in the EU (which took effect May 25, 2018), it's likely that they would be hit with two major fines. The first for failure to adequately notify affected individuals, and the second for a failure to secure the data in the first place.

Failing to notify would cost Equifax up to 2% of its global revenue, and failure to secure would cost up to another 4%. In 2017, Equifax had global revenues of $3.36 billion. That means Equifax would have been fined about $201 million under GDPR for this breach.

2. If the Equifax breach happened under the new California Consumer Privacy Act of 2018 (which comes into effect in 2020), it could face financial penalties. The penalties for data theft under this act range from $100 to $750 per California resident, or actual damages.

We know from the initial data breach report that Equifax had records on 143 million Americans. That's about 56.9% of the eligible population. If we use that percentage for California, we have about 17.2 million affected California residents. That means that Equifax could have been fined between $1.7 billion and $12.75 billion for this breach.

Both penalties are a far cry from the $0.00 fine it received.

Frustration
The biggest challenge with the Equifax breach is the inability for any affected user to take reasonable actions to prevent any abuse of their information.

All of the recommendations (monitor your credit, carefully check your bank transactions, look out for identity theft, etc.) are all reactive. They will only help highlight something that has already happened. Legislation like GDPR in the EU and the California Consumer Privacy Act are designed to shift the balance of power back to the owner on the information.

Make no mistake: Your information is yours. You only entrust it to others. Part of that trust is that they will do their best to protect it.

That's the real issue at the heart of the Equifax breach from the consumer point of view. At no point was that information explicitly entrusted to Equifax. The company simply acquired it and started to monetize it.

This is a case where strong individual rights for privacy and control over our data make sense.

Enough?
Thankfully — as reported by the New York Times — Equifax is still under investigation by a number of agencies, including the Federal Trade Commission, Consumer Finance Protection Bureau, and the Securities and Exchange Commission. That means there is still hope that Equifax will face further punishment for a breach that never should have happened.

Hopefully, something will come of it. Cybersecurity as it is currently practiced is a constant and near overwhelming challenge. Companies need to develop and maintain a culture of security. A culture that respects data privacy. With that in place, cybersecurity becomes far easier.

Cybersecurity is everyone's responsibility. That needs to be acknowledged and practiced before we can move forward.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Mark Nunnikhoven explores the impact of technology on individuals, organizations, and communities through the lens of privacy and security. Asking the question "How can we better protect our information?," Mark studies the world of cybercrime to better understand the risks ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.