For better or worse we live in a credit driven (some would say a debt driven) world. Anyone who wants to own a home, drive a nice car or just partake of the finer things needs to cultivate and maintain a good credit rating. To that end there are three major agencies that provide most of the world’s credit reports – Experian, TransUnion and Equifax.
These are companies that hold unfathomable amounts of personal data which they use to devise credit reports that hold enormous sway over the quality of our lives. The idea that any one of these big data behemoths could or would fall victim to a malicious hack has long been one of the scenarios that have kept IT security professionals awake at night. And now it’s happened. We had a chat with one a leading IT Support company in Glasgow and here’s what they had to say.
The Nightmare Scenario
For decades average people the world over have been asked to put their faith in the big three credit reporting agencies. Every time they’ve been asked to provide personal information there have been robust assurances that the information would remain absolutely confidential. Well, the days of blind trust in these (and by extension other companies that ask for personal information) are over. Because between May and July of 2017 Equifax was the target of one of the largest hacking operations in history.
During that time personal data on 143 million individuals was stolen from the Equifax servers by hackers exploiting what turned out to be a seemingly minor flaw in the company’s software. That data included names, birth dates, addresses, driver’s license numbers and the all-important Social Security numbers. Chances are if you’ve ever applied for credit in the US a hacker somewhere now has possession of your personal information.
Perhaps just as galling as the loss of privacy for so many people was the fact that the Equifax hack unfolded over the course of 3 months early in 2017. Every day during that period directors of the company showed up for work, held their meetings, discussed policy and continued to accumulate ever greater amounts of personal data while at the same time hackers scoured the Equifax servers for every last piece of information they could get their hands on.
When the company finally discovered the hack in July their response was less than exemplary.
They created a team to manage the crisis from an IT perspective in August and only announced their servers had been compromised in September. Following the revelation they botched the launch of a website intended to provide information to concerned consumers while language on their own site seemed to indicate that if a person wanted to know what was going on they first had to waive their right to sue the company.
In time these and other issues were set right but the damage to the company’s reputation was almost as significant as the amount of data lost in the hack and the CEO was forced to resign in disgrace.
While millions of consumers were horrified to learn their confidential information was now in the hands of criminals business owners around the world we just as horrified by the implications of the Equifax hack. After all, if such a huge company – one that spends tens of millions of dollars a year on data security – could be violated in such a comprehensive manner what does say about the IT security of other, less well financed companies?
In the wake of the Equifax fiasco individual consumers are not the only ones who need to take a good long look at the way they conduct themselves. Businesses too need to take stock of their IT practices and determine a better way forward. The primary areas of concern boil down to:
- A) Getting some idea how the Equifax hack may impact your business directly and
- B) Taking steps to strengthen your current IT practices
Find Out if Your Business Was Affected
If you suspect your business may have been victimized by the Equifax hack there are a few steps you can take to protect yourself.
- Go to the Equifax Cybersecurity Incident Info page – They have a complete list of every company whose data was compromised. You can also sign up for the company’s free credit monitoring service which will inform you of any activity related to your information the minute it happens.
- Freeze Your Credit – If you learned through the Equifax Cybersecurity Incident page that your information was indeed stolen you should seriously consider freezing your company credit immediately. While this may be a significant inconvenience it may also prevent your company from being dragged into the abyss.
- Monitor Your Credit Report – You have a right to request a free credit report once a year. Do so. This can alert you to any problems that may have slipped through the cracks of your other security related efforts.
Ramp up Your Security Efforts
No one should feel bad for Equifax though perhaps they should be thanked for providing two important lessons all businesses can and should learn:
- Address any Issues, Now – As it turns out Equifax was aware of the IT weakness the hackers used to gain entry to their servers. They had simply put off dealing with it, thinking it was not a significant issue. They could not have been more wrong and you should not make the same mistake. Order an immediate review of your IT security protocols and address any concerns, no matter how seemingly minor, without delay.
- Secure What Information You Have – Find out exactly what sensitive information you have on your servers, where it is and who has access to it and then take steps to protect as much of it as possible via additional security tools. This may include taking steps to classify all of your data so that hackers cannot gain access to the most sensitive information. Data classification can be time consuming and expensive but having vulnerable data on your server in this day and age simply isn’t going to cut it, as Equifax has hopefully taught us all.