Three Years After the Equifax Data Breach: What Happened and What Businesses Can Learn From It
Three years ago, the data of 143 million Americans—social security numbers, credit card numbers—was exposed in the Equifax data breach. It also affected businesses of all sizes. Equifax is known as one of the “big three” credit reporting bureaus, and when they finally announced the data security failure on September 7, 2017, it was obviously very big news.
Even if you don’t follow cybersecurity, you’ve probably heard something about the breach, the delay in announcing it, and the resulting fallout. Chances are, you may have even been affected.
Now, on the third anniversary of the breach, it’s helpful to understand what happened, so that protecting the data of your online business stays top of mind.
How the Equifax Security Breach Happened
It wasn’t until February of 2020 that the culprits behind the Equifax Breach were finally revealed. The Department of Justice released a nine-count indictment charging four members of China’s People’s Liberation Army.
Were these hackers super-elite geniuses who took down highly secured data stores? Possibly. But like so many data breaches and hacks, the Equifax Breach was made possible by an unpatched application.
Equifax was made aware of and told to patch this vulnerability on March 9, 2017. This didn’t happen, and forensics later revealed that hackers began accessing Equifax systems on March 10.
Once the hackers were inside, they set up a complicated system to hide their activities. They even set up 34 servers across 20 countries to infiltrate Equifax and to help cover their tracks.
Equifax didn’t discover the breach until July 29, 2017. But, they didn’t alert the public until September. A couple of managers even sold stock once the breach was found, and were later charged with insider trading.
How a Data Breach Can Affect Businesses
While it’s obvious why the data breach is worrying for consumers with their personal data potentially falling into the wrong hands, the Equifax data breach also raised some concerns for independent businesses.
One way a data breach can directly affect independent businesses is when they need to access credit or a loan. As business owners often rely on funding through personal lines of credit or business loans, they could be negatively impacted, especially in the event that fraudulent accounts are opened in their names. This kind of credit vulnerability can ultimately lead to higher rates or even rejections on loan applications. And, Equifax has no responsibility to report to businesses if data has been compromised, unlike with consumers.
Additionally, if you had employees that were affected by the breach, you may have suffered some decreases in productivity as they had to deal with the fallout around their personal data being compromised. Some estimates say that it can take up to several months to clean up the mess caused by identity theft, which can inevitably cut into working hours.
Then there’s the cost of additional cybersecurity measures needed to protect businesses, which can quickly eat up substantial portions of IT budgets in the prevention of fraud.
Basic Ways for Safeguarding Sensitive Data
While no protection plans are completely foolproof, there are steps you can take to help protect your business’s data and that of your customers.
Jason Hoenich, President and Founder of security awareness training startup Habitu8, knows a thing or two about helping businesses secure their data. Before starting Habitu8, he built a security training program for the Walt Disney Company. “As a business owner, it is key to have the fundamentals covered from a cybersecurity perspective. You may not be the person who knows how to do this, but you can still ensure that you’ve hired or contracted with professionals that do.”
To truly safeguard your customers’ data, Hoenich recommends working with trusted services and platforms. “The best practice is to not own any of the systems/servers processing the data and to utilize a trusted third-party provider,” he said. While this is the case for many online businesses already, this way, you are leveraging more sophisticated and seasoned resources for protection. Also, ensuring that your antivirus software is updated regularly is another important way for minimizing vulnerabilities.
If you’ve got employees who handle customer transactions, credit card numbers, or other sensitive information, Hoenich also recommends regular annual training along with refresher courses (not just once every couple of years), on different types of fraud techniques, how to monitor for suspicious transactions, and odd behavior to look out for. Fraud protection can also be bolstered by implementing a policy that puts strong password requirements in place for employees.
Hoenich has straightforward advice for what to do right away if your business is the victim of a data security breach. “If a company has a breach, the first thing they need to understand is their legal requirements for their governing body or state. Typically this requires a company contacting local law enforcement, who can provide next-step guidance. Also, if this happens, all small businesses should have a go-to security expert who can help reduce any ongoing breach activity.”
If the Equifax data breach of 2017 offers us anything, it’s that planning for the possibilities of a data breach or incident in advance, while communicating clearly with staff or employees about the next steps is key. “Every business should be on alert—no retailer is too small or too big to be targeted,” Hoenich adds.
