Why the Equifax Breach Is a Lesson in Using Different Passwords for Each Account
Back in September 2017, a consumer credit reporting agency Equifax experienced a severe data breach. During this Equifax breach, more than 143 million Social Security numbers were exposed and leaked. To put this into perspective, the number makes up more than half of the American adult population. This and consecutive breaches shed light on many festering problems within corporate cyber security. In this post, we will try to track the timeline of this major Equifax breach, and we will see what companies and users can do to protect their personally identifiable information (PII) to avoid identity theft.
The Equifax Breach Timeline
As mentioned, at first, Equifax reported that the company was hacked last September. It is always rather disappointing to hear that a company that handles personal data is breached, and this was no exception. According to various reports, hackers got away with such data as birth dates, driver’s license numbers, credit card numbers, addresses, and so on.
One of the most disturbing things about this Equifax breach was that it didn’t happen over one night. It occurred over the course of a few months from May to July 2017. Hackers were able to gain access to this data by exploiting a vulnerability in the Equifax website app. Needless to say, Equifax promised to review their software to prevent future attacks, but it doesn’t look like the company managed to do much immediately because the reports of identity theft kept on pouring in.
For instance, this March, it was reported that another 2.4 million consumers were affected by the same Equifax breach that occurred last year. This time the compromised data did not include Social Security numbers, but it did not mean that the breached data could not have been used for identity theft. The gravity of the situation was obvious when the former chief executive Richard Smith resigned back when the first news about the Equifax breach broke loose, accepting responsibility for it.
Consequently, appropriate authorities launched a probe into Equifax activities to see what could have been done to prevent this identity theft. The conclusion of the probe was that the company failed to keep their computer systems up to date. Aside from not taking adequate measures to avoid such hacks, Equifax also did not disclose the scale of the breach to the fullest. Hence, we had reports of the data that was stolen coming for a few months since the first disclosure.
So it is not surprising that this month, we had more reports coming in about Equifax breach, and this time the theft included a number of passport images and related information getting stolen. Of course, compared to the staggering number of 149.7 million individuals who got their data leaked, this newest report did not seem that massive. However, more than 3200 passport photos leaked is still an amount to be reckoned with. At least this set of breached data was leaked during the original breach, and no secondary identity theft was reported ever since. The problem here is that Equifax did not disclose information about everything that was reported at first.
As we have mentioned already, initially Equifax said that 143 million individuals were affected by the breach, but eventually, in their letter sent to the Senate Banking Committee, the company admitted that data of at least 147.9 million Americans were affected by the breach.
Although the report on the stolen passport images said that they were not stolen from new individuals, it still meant that the scope of the potential identity theft was a lot bigger than everyone eventually thought. Hackers got their hands on a wide range of personally identifiable information that can be used to forge fake accounts and steal tons of money.
What Businesses Should Learn From Equifax Breach
Equifax is not the only company in the world that can be a target for criminals that specialize in identity theft. We already mentioned that the reason the company experienced this data breach was a vulnerable browser app. Further probe into the issue revealed that businesses tend to use a vulnerable version of the software that manages private information, and they fail to update these applications to safe versions. This practice results in multiple data breaches that affect not only individual users but corporate businesses as well. For instance, more than 10,000 organizations were affected by the Equifax breach, too.
The vulnerable program in question was the Apache Struts open source software package. Equifax is not the only company that employs this program. There are other organizations that use it as well, and so the risk of identity theft only increases. The vulnerability in question forces the program to mishandle a file upload, and then hackers execute arbitrary commands that initiate the theft. There are six patched versions of this application, but businesses fail to install patches because the patched version of the software might not be compatible with their server middleware or their operating systems. In other words, fixing the vulnerability might be too bothersome for some companies.
However, unless the companies do something about it, such breaches will continue to occur. Perhaps regular security updates are daunting for businesses, but they are vital because poor cyber practices can easily lead to a number of security issues, including identity theft.
What Individual Users Should Learn From Equifax Breach
The means of dealing with data breaches for individual users are a little different from what businesses are expected to do. For example, if you think that you might have experienced data theft, depending on the type of data that was stolen, you can choose to place an initial fraud alert or credit freeze, which would prevent misuse of personal information. You should also review your credit report looking for any sign of identity theft. Not to mention that there are also professional monitoring services that can help you find whether your data security has been breached or not. Finally, you should always learn more about such illegal practices and their consequences.
We have actually covered the main data breach consequences in our blog before, but to recap, the impact of the breach depends on the type of data stolen. For instance, people might think that the data they enter during a sign up to any site is harmless, but that is definitely not the case. Every single piece of information can be used against you if it is leaked, so you need to do everything to prevent that from happening. The easiest way to avoid data breach is to use different passwords for different accounts.
In other words, if you want to protect your data, refrain from reusing passwords because that is the easiest way to identity theft. Although that is convenient, it is dangerous because multiple accounts can be hacked if they are protected by the same password. Of course, it is difficult to remember different passwords, especially if you have a lot of different accounts. Some people prefer to keep a list, but if you want something more convenient, you can always use a password manager like Cyclonis. Password managers generate strong, unique passwords for every single account, and that decreases the potential for crippling identity theft. Thus, please consider all the measures you can take to protect your data.