We now know the Equifax data breach, which impacts almost 60% of the US adult population, was preceded by another breach or series of breaches of unknown magnitude back in March. We also know the July mega breach exploited a flaw in third-party code (Apache Struts) that Equifax knew about and failed to fix. Meanwhile, senior Equifax execs dumped stock and two key information security officers “retired” shortly after the hack was announced.
Equifax obviously should have moved faster and more decisively to update its web applications, given the privilege of its position and the magnitude of trust that American citizens have—largely unknowingly and involuntarily—placed in it.
Those of us with credit histories don’t choose to be customers of Equifax or the other credit bureaus. Nor do we choose to share our personal and financial data with them. Yet Equifax executives face no special penalties for blatantly failing to keep our data safe.
How Are Credit Reporting Agencies Like Equifax Regulated?
As a credit reporting bureau, Equifax is subject to some additional FTC regulations, such as the Fair Credit Reporting Act (FCRA). Their worldwide footprint makes them subject to the EU’s GDPR as well. Because they process medical information, they are also subject to HIPAA. And because they take credit card payments for their services, they’re subject to PCI.
But despite all these regulatory mandates, Equifax is not currently required to have any form of security attestation. Equifax claims to model its information security management system (ISMS) around the ISO 27001 framework. But it’s unclear (and therefore unlikely) whether the company has a certificate from an accredited registrar.
What Further Proof Do You Need That Compliance Doesn’t Equal Security?
It’s not like we couldn’t see a breach like this coming. A precedent for a major hack of a consumer information clearinghouse is the 2005 ChoicePoint breach, which compromised a mere 163,000 records. A provider of data used in background checks (and, interestingly, an Equifax spinoff), ChoicePoint paid $10 million in civil penalties and $5 million to compensate consumers. The firm took the incident to heart, changing how it did business and enduring more than 80 external audits in the two years following the attack.
Twelve years later, Equifax is hacked a thousand times worse than ChoicePoint in terms of the numbers of people affected, yet will probably face little more than a slap on the wrist despite consumer outrage. If you need further proof the credit reporting industry needs more regulatory oversight, Equifax and TransUnion were fined $23 million back in January for misleading consumers about the pricing and value of its credit products.
In the current political climate, information security is hyper-hyped. Yet actually doing anything about it seems all too often to be an afterthought.
Strengthen Your Organization Now
If you’re looking to strengthen your organization’s security and compliance posture before your critical data (and customer data) is compromised, contact Pivot Point Security.