“Ineptitude, negligence and lax security” behind leak that cost US firm millions

Cyber security malpractice has cost US credit reference agency Equifax a record-breaking $700 million (£560 million), after it failed to fix a vulnerability that enabled hackers to gain personal information from customers in the UK, USA and around the world.

The problems began in March 2017, when Equifax was alerted to a “critical security vulnerability” in its system by the Federal Trade Commission (FTC) and ordered to patch it within 48 hours. In July that year, the FTC noticed irregularities in traffic on the Equifax system, which it soon realised was because the fix was never actually completed.

Surely enough, during this time the vulnerability was exploited by hackers, who gained access to an admin file that allowed them to operate the Equifax network. From here they could uncover the personal information of more than 147 million account holders – of which around 15 million were in the UK. Information harvested by the hackers included names, dates of birth, addresses, credit card numbers and driver’s licence numbers.

To make matters worse for Equifax, it emerged later that this admin file wasn’t just unsecured, but stored in plain text – which only served to make the hackers’ lives that bit easier.

Part of the fine (£349 million) will be used for compensation and to cover the cost of credit monitoring facilities for affected customers.

The UK’s Information Commissioner’s Office fined Equifax the maximum £500,000. Had the breach taken place after the EU’s GDPR regulation was introduced, however, the company could instead have been facing a penalty of up to £120 million.

Perhaps most frustrating for the FTC was the ease in which this scenario could have been avoided. Its chairman Joe Simons told sky.com: “Equifax failed to take basic steps that may have prevented the breach.”

One of the investigation leaders, New York attorney general Letitia James was more damning in her verdict. “Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” she said.

“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the US population.”

For its part, Equifax has promised to conduct an annual internal assessment of security risks and for an independent assessment to be completed every two years.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

“Ineptitude, negligence and lax security” behind leak that cost US firm millions

Categories

Horsham Office: 01293 871971 | London Office: 0203 763 3919 | IT Support: 01293 876000