Since the turn of the
decade, cybersecurity has been a much discussed topic among corporate leaders
owing to the sensitive data companies possess and the steep rise in cyber
threats. However, until recently, cyber-attacks were largely seen by the public
as an inevitable nuisance with a limited impact on day-to-day life. This
changed on September 7, 2017 when Equifax, one of the largest credit reporting
companies in the United States, revealed that they had been subject to a major
The cyber-attack on
Equifax was the first instance where hackers gained access to a large database
of digital identities and classified personal information. As a result, the
Equifax breach led to widespread frustration among the American public and a
growing realization about the risks associated with digital identities.
The attack on Equifax
The Equifax breach
occurred from mid-May through July 2017 and was discovered on July 29 2017.
Owing to a loophole in American laws, the company only reported the incident on
September 7 2017. The data accessed through the breach included names, social
security numbers, birth dates, address and license details. In some instances,
details pertaining to credit card information and personal documents were also
accessed. It was later disclosed that 145.5 million Americans were impacted by
the breach. Further, the breach also impacted people in Canada and UK.
received a lot of flak for being lax about security and the company faced
widespread repercussions. From a financial perspective, the market
capitalization fell by 4 billion $ as the stock tumbled by 34% in the aftermath
of the breach. The company also incurred a one-time charge of 87.5 million $
related to the cybersecurity incident. Equifax went through a turbulent time
post the breach owing to management changes and class action suits. The impact
of the breach on customer trust and future business growth is perhaps even more
important as indicated by the drop of 27% in Q3 net income owing to customer
The subsequent autopsy
of the breach revealed that Equifax was attacked through a vulnerability in its
web application software. The company had not followed the cybersecurity
principles endorsed by the government and it had paid the price. The breach
resulted in greater awareness about the cyber threats faced by companies and
the importance of enforcing stringent cybersecurity regulations. Companies in
diverse sectors had to deal with questions regarding their cybersecurity. For
instance, financial services firms had to handle queries regarding their
dependence on the data collected by credit reporting agencies.
Reactions and Policy
Mike Shultz, CEO of
Cybernance stated that the Equifax breach was the 9/11 moment for cyber-attacks.
The breach did result in a lot of focus on the issue of cybersecurity. The lack
of cybersecurity regulations and legal action against companies that suffer
breaches came to the fore. Post the Equifax incident, several legislations have
been proposed by US senators regarding data breaches and disclosure. One of
these proposed legislations requires companies to report breaches within 30
days. Another proposed legislation levies harsh penalties on credit reporting
agencies that suffer data breaches.
Post the Equifax
breach, reports surfaced that the Trump administration was looking for ways to
phase out the archaic social security system in order to avoid another
disaster. The Equifax breach became a major talking point in other parts of the
world as well. The European Union has agreed on a data breach notification
standard which is set to come into force in May 2018. This policy would apply
to companies like Equifax which have a European presence. In India, a fresh
layer of security has been added to the Aadhar, India’s version of social
The Equifax breach has
spread awareness all over the world about the dire need to upgrade the
cybersecurity infrastructure. It has resulted in a lot of debate about
regulations and technical proficiency. As evidenced by Equifax’s case, the loss
of personal information can cripple the business and erode consumer trust.
Hence, it is in the best interest of companies to adopt strict cybersecurity
standards. Legislations about stringent cybersecurity regulations have been
proposed earlier as well but were rejected owing to powerful lobbies. One hopes
that governments realise the threat and pass the legislations this time around.