Equifax Data Breach: What Happened and What Small Business Owners Can Learn

Equifax Data Breach: What Happened and What Small Business Owners Can Learn

It’s the stock sales by several executives that are likely to get the most scrutiny in light of the new timeline. On Aug. 1 and Aug. 2, regulatory filings show that three senior Equifax executives sold shares worth almost $1.8 million, with none of the filings listing the transactions as being part of scheduled 10b5-1 trading plans.In September, the credit reporting bureau Equifax announced what might become the most financially significant data breach of the past several years. On July 29, Equifax discovered that a hacker -- or group of hackers -- had penetrated the bureau's database of consumer credit information. The hackers stole the personal information of 143 million United States citizens -- nearly 45 percent of the population -- including:

  • Names
  • Social security numbers
  • Mailing addresses
  • Birth dates

The hackers also stole some credit card numbers, credit report disputes, and driver's license numbers. Following the announcement, Equifax dismissed its Chief Information Officer and Chief Security Officer. Chief Executive Officer Richard Smith resigned.

How Did the Hackers Penetrate the Equifax Database?

Hackers breached the Equifax database by exploiting a flaw in the Apache Struts application framework. Apache

Apache has released a patch to correct the flaw in March 2017, but Equifax continued to use the vulnerable software rather than applying the patch. Some have suggested that Equifax also failed to protect customer data with strong encryption. Since the hackers repeatedly breached the Equifax database from the middle of May through late July, many people believe that Equifax's method for detecting unusual network activity was inadequate.

Since the hackers repeatedly breached the Equifax database from the middle of May through late July, many people believe that Equifax's method for detecting unusual network activity was inadequate, to say the least.

Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.

What's This I've Read About an Earlier Equifax Data Breach?

A little over a week after Equifax's announcement of the May-July security breach, it came to light that hackers had also breached the company in March 2017.

Whether the hackers in the earlier breach were the same as those responsible for the May-July breach is unknown. It is also unknown what information was stolen during the earlier breach and whether the hackers involved in both breaches used the same Apache Struts vulnerability as an attack vector. According to the Bloomberg report that originally broke the story of the earlier attack, Equifax did not notify any consumers about the March breach.

Equifax did, however, notify some of its partner companies.

Security experts say victim companies have wide leeway about how deep an investigation they want outside investigators to do. Some clients will limit the breadth of access or the time outside investigators can spend on site. Others want a full assessment that encompasses their entire computer network and could include the identification of existing security vulnerabilities.

What Is the U.S. Government Doing to Help?

Days after the May-July Equifax data breach was discovered -- but before the breach was announced to the public -- three high-ranking Equifax executives sold an approximate combined total of $1.8 million in Equifax stock.

According to an Equifax statement, the executives were unaware of the breach when they sold their stock. The U.S. Justice Department has opened a criminal investigation with the goal of determining whether the executives sold their shares as a result of receiving insider information.

The Federal Trade Commission is also investigating the data breach to determine whether lax security practices at Equifax enabled or exacerbated the event. Multiple states and private law firms have also filed -- or intend to file -- lawsuits against Equifax.

How Does the Equifax Data Breach Affect My Small Business?

If you are the owner of a small business without a lot of history, you may have found it difficult to obtain lines of credit because many banks are reluctant to lend money to small businesses.

If you've ever needed to access credit to purchase inventory or pay your employees, the lending bank may have asked you to guarantee payback using your personal credit. In that case, the Equifax data breach could potentially affect the operation of your business because anything that damages your personal credit could also damage your ability to obtain a loan for your business.

At this time, the best thing that you can do to protect your business is to monitor your personal credit closely for any sign that someone may have fraudulently obtained credit in your name.

Scrutinizing your credit report will require time that you should be using to serve your existing customers and acquire new ones. Some business owners are already attempting to sue Equifax for reimbursement of their lost time.

"Given the way that the company has handled this data breach, I don't fully trust that Equifax is being truthful about the extent of it," said Tom Blake, the owner of Team Technical Services in Florida.

He's also joining the lawsuit, which is seeking class action status on behalf of all affected small business owners.

If your personal credit has no bearing on your business's ability to obtain a loan, you should consider placing a security freeze on your credit history.

At the time of writing, Equifax is waiving all fees for security freeze requests. A security freeze prevents any party from retrieving your credit history from the reporting bureau. Until you remove the freeze, it will be difficult or impossible for anyone -- including you -- to obtain credit in your name.

What Can I Do to Protect My Business's Sensitive Data?

In recent years, one major company after another has fallen victim to a data breach.

Understandably, you probably have concerns about the safety of the sensitive data that your company stores. For a major company, failure to update vulnerable software is inexcusable.

For a small business with limited IT resources, though, it's easy for routine tasks such as software updates to fall through the cracks. Likewise, monitoring your company's network for intrusion isn't easy when you don't have an employee to devote to the task.

Moving your company's services to the cloud can greatly enhance your security. Running software as a service, for example, means that you're always using the latest version of an application. There's no need to check for and install updates because the cloud provider performs all updates for you.

Monitoring for intrusions also becomes less of a concern because it is the cloud provider's full-time job to monitor its own network.

Speaking of...

Continuous provides high-level cloud migration services for businesses of all sizes. It's hard to argue that the cloud has revolutionized the way that modern way business is able to be performed.

Employers are now able to effectively manage a global workforce. In essence, you might be able to have production happening 24 hours a day! That's some serious streamlining.

If you feel that this is something that could benefit your company or you'd like to know more, we have all the answers, and IT expertise you need to simplify your transition to the cloud.

Don't let your business become the next Equifax, learn from their mistakes and be proactive about bolstering your cloud network security.