By being in the business of tracking the data of millions of people, Equifax and similar firms would seem ethically and legally obliged to safeguard that sensitive information by all reasonable means. That the intrusion shouldn’t have happened is clear, but that it would have happened eventually was just a matter of time — unless it was preventable.
Was it? Let’s look at Equifax’s own timeline, from reported sources:
• Early March, 2017: U.S. Computer Emergency Readiness Team identified and disclosed a vulnerability in software supporting Equifax's online dispute portal. Equifax Security was aware of the vulnerability at the time, and "took efforts to identify and patch any vulnerable systems."
• May 13 to July 30: Equifax "cybersecurity incident" occurred.
• July 29: Equifax Security observed suspicious network traffic, and blocked it.
• July 30: Equifax Security observed more suspicious activity, and took the affected application offline. Equifax identified a vulnerability in the application, and patched it before bringing it back online.
• Aug. 2: Equifax contracted independent cybersecurity firm Mandiant to determine the extent of the intrusion. Over several weeks, Mandiant found the potentially compromised personal information included names, Social Security numbers, birthdates, addresses, and driver's license numbers of millions of U.S. consumers, plus credit card numbers and other documentation for between 280,000 and 400,000 U.S. consumers.
• Sept. 7: Over a month later, Equifax publicly acknowledged the data breach.
• Sept. 15: Equifax released these details on the cybersecurity incident, and announced the retirements of its chief information and chief security officers.
• Sept. 26: Equifax CEO Richard Smith retired.
What the Equifax release does not mention is a Reuters news report that a patch for the portal vulnerability was available in March, well before the attack, yet no decision was made to apply the patch as a routine preventive measure. Indeed, it wasn’t until two and a half months into the attack that Equifax finally remedied the vulnerability after-the-fact.
Considering this, perhaps it’s time to declare an emergency recall of golden parachutes pending an independent investigation, maybe one or more criminal negligence indictments, and Equifax’s unqualified acceptance of all responsibility, effort, and cost to restore the personal security of every one of those millions of affected individuals. Some might consider this an unfair burden on Equifax. But many more, I think, would agree it’s a reasonable expectation for all companies that collect and store personal data.
S.A. Joyce is one of our regular community contributors.