Back in July 2017, the public was shocked. At the time, Equifax revealed a massive breach of data affecting more than 140 million people, and the data that was stolen remains frightening to this day: full names, dates of birth, social security numbers, credit card numbers, and even driver’s licenses. Even as a settlement has been reached, the breach will continue to impact people for years to come.
While many people ask what they can do to protect themselves, the “How” of the hack quickly disappeared into the initial news fury. In short, the New York Times said, “Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software.”
From the Equifax disaster, here are two things to point out that show how your weaknesses define the strength of your cyber security.
- It took the company weeks to realize the hack happened. Here’s the timeline. Hackers gained access to the data in May 2017. Equifax discovered the breach on July 29. The company announced it to the public on September 7. Hackers had access to do whatever they felt like with a ton of sensitive data for more than a month! Equifax didn’t have a clue. Then, when Equifax finally found out, it took the company over another month to tell the public. Why? Was it working on a scheme to try and save the company’s reputation? Was it unable to figure out what data was compromised? Did employees not know how to shut down the access and waited to figure that out? Who knows. But we do know that this points a whole lot of fingers at structurally unsound security.
- Equifax didn’t respond to previous breaches. A little further into the details the New York Times’ reporting, it turns out that Equifax was hacked in 2016, as well. At that time, cyber criminals stole W-2 and salary data from the company’s website. And then (because that’s not enough to warn the company about some major issues with data protection), it was hacked again in early 2017 through a subsidiary. Thieves stole additional W-2s at that time. Equifax failed in so many ways, such as not fixing website security flaws as soon as weaknesses were exploited and neglecting to set up multiple layers of control for online accessible information. The truth is, every company is vulnerable in some way. Cyber security must be ongoing and evolving actions. Businesses and individuals must be vigilant in constantly reviewing procedures, logging access, securing networks, training individuals, and reviewing disaster recovery plans.
We all know the importance of brushing our teeth each day, washing our hands to prevent germs, getting regular oil changes for your car, and changing the furnace air filter. Think of cyber security as critical maintenance for your data. If you don’t make it an important habit with a routine schedule, you’ll find out that you were unaware of a breach and are unprepared for the response. Start today. Put it at the top of your to-do list.