ONE YEAR LATER - What have we really learned from the Equifax breach?

November 12, 2018 Avani Desai

Equifax announced the data breach that shook the world in September 2017—three months after the company discovered it. Malicious actors snatched consumer data by making the most of a security flaw within a tool used to build web applications. Equifax eventually admitted that it knew of the security flaw months before disclosing the breach.

In March 2018, Equifax reported that the breach victimized 2.4 million more Americans beyond the original estimate of 145.5 million. The company had unwittingly turned over their names, addresses, ID images, Social Security and driver’s license numbers, and passport data. Equifax pledged to notify victims and provide identity theft protection and credit monitoring.

And now, a year later, Equifax awaits another set of verdicts. Will the company pay for having leaked sensitive personal information to those bent on identity theft? Will states’ attorneys general and civil lawsuits point the finger of blame at Equifax? And will a frustrated Congress piggyback on the data breach disclosure laws now operative in all 50 states? Experts continue to question if U.S.-based companies should report a data breach within 30 days and if executives should face up to five years in prison for breach concealment.


One thing is for sure. The Equifax breach was a watershed moment for security professionals, C-suite executives, and the public relations, compliance and legal team members who plan for and respond to data breaches. Among the key areas of impact are the following:

Assumption of accountability: Before the Equifax breach, people assumed that the company had the controls to safeguard privacy and security. Post-breach, a growing number of organizations have accepted accountability for third-party performance, according to Avani Desai, president of Schellman & Company, a security and privacy compliance assessor. The result: an uptick of internal third-party vendor management to ensure proper testing of controls.

Attention to monitoring: “Organizations are more interested in monitoring specific pieces of personal and confidential information,” says Ron Schlecht, managing partner at BTB Security, an information and IT security company. “Independent of regulations or compliance guidelines, these organizations now compel vendors to install, monitor and test adequate security protections.”

“Five to 10 years ago, consumers didn’t realize the impact of stolen data,” says Desai. “Today, they’re more mature and demanding and pose questions like ‘Are you giving my data to a third party? Will you be encrypting it?’”

Enhanced consumer awareness: Both 2017 and 2018 were banner years for consumer awareness. For the first time, consumers developed genuine insight into the significance of safeguarding data, privacy and security.

“Five to 10 years ago, consumers didn’t realize the impact of stolen data,” says Desai. “Today, they’re more mature and demanding and pose questions like ‘Are you giving my data to a third party? Will you be encrypting it?’”

Enhanced employee awareness: Workers are more in tune with the fact that every organization stores personal and confidential information,” says Schlecht. “They realize that they must protect that information and understand what must be done in the event of a breach.”

Information security insight: “The breach was a wake-up call to the security community on the potential misuse of information because Equifax is a major data broker and a lynchpin to privacy," says Schlecht. "The breach got attention because of the unprecedented number of people who were affected."

"Send candid, supportive communications to employees, consumers, the media and anyone else affected by the breach," advises Desai. "Just as important, identify the causes and extent of the breach and specific vulnerabilities along with a pledge to prevent further data exploits."

Read full article at InfoSecurity Professional Magazine


About the Author

Avani Desai

Avani Desai the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.

Follow on Linkedin Visit Website More Content by Avani Desai
Previous Article
Is IoT Driving Without a Seatbelt?
Is IoT Driving Without a Seatbelt?

Finding harmony between the functionality, size, and security of IoT devices has proven to be a ...

Next Article
11 Red Flags to Watch For When Hiring
11 Red Flags to Watch For When Hiring

In the battle for top tech talent, the wrong hire can be devastating. So do your tech team the f...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!