On Thursday, September 7, 2017, the credit reporting giant Equifax Inc. revealed that “highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in an [ongoing] cybersecurity breach” that started as early as mid-May of 2017. ((Gillian B. White, A Cybersecurity Breach at Equifax Left Pretty Much Everyone’s Financial Data Vulnerable, The Atlantic (Sept. 7, 2017), https://www.theatlantic.com/business/archive/2017/09/equifax-cybersecurity-breach/539178/; see generally Equifax, Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer Data., YouTube (Sept. 7, 2017), https://www.youtube.com/watch?v=bh1gzJFVFLc (“The unauthorized access occurred between mid-May and July).)) According to Equifax, criminals were able to access, among other things, “the social security numbers, birth dates, and addresses” of consumers. ((White, supra note 1.)) The repercussions of such a far-reaching breach of critical personal information are clear—“more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come.” ((Dan Goodin, Why the Equifax breach is very possibly the worst leak of personal info ever, ARS Technica (Sept. 8, 2017), https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/.)) What is less clear, however, is how Equifax—aware of a system vulnerability months before the attack—failed to take any corrective action.
The site vulnerability through which hackers initially gained unauthorized access to Equifax’s internal server was known as “Apache Struts CVE-2017-5638.” ((Zack Whittaker, Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack, ZDNet (Sept. 14, 2017), http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/.)) Apache Struts is a web application “used across the Fortune 100 to [power websites], including Equifax’s public website.” ((Id.)) Apache fixed the flaw on March 6, 2017—essentially announcing the flaw’s existence with its release of the fix—but Equifax nonetheless failed to install or update its own Apache application. ((Cf. Goodin, supra note 3.)) That a company dealing almost exclusively in sensitive personal information would miss, or fail to monitor, such a vulnerability and subsequent fix for upwards of two months is difficult to fathom. Consider that only three days after Apache’s update “the [identified vulnerability] was already under mass attack by hackers [across the internet] who were exploiting the flaw to install rogue applications on web servers.” ((Dan Goodin, Failure to patch two-month-old bug led to massive Equifax breach, Ars Technica (Sept. 14, 2017), https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/.))
Indeed, it was not as though Equifax was unaware of general security vulnerabilities in its system. As far back as February 2017, Equifax was aware that identity thieves had been “feeding stolen Social Security numbers and other personal information into login pages for Equifax Workforce Solutions” in a different attack, thereby “downloading W-2 and other tax forms for dozens of employees of clients including [Whole Foods].” ((Michael Riley et. al., The Equifax Hack Has the Hallmarks of State-Sponsored Pros, Bloomberg Businessweek (Sep. 29, 2017), https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.)) As a result, Equifax hired cybersecurity firm Mandiant to audit any internal security weaknesses related to the scams. ((Id.)) During the course of the security audit, “Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems,” but there is no indication any remedial action was taken at that time, either. ((Id.))
Altogether, it appears clear Equifax does not have the expertise or institutional competence necessary to adequately protect consumers’ private information. Consider that the very site Equifax set up in the wake of its breach announcement—to allow consumers to enter their names and Social Security Numbers to find out if they were affected—has been compromised. ((See Chris Morris, Was Equifax Hacked Again?, Fortune (Oct. 12, 2017), http://fortune.com/2017/10/12/equifax-hacked-again-adware/; Brian Krebs, Equifax Breach Response Turns Dumpster Fire, Krebs On Security (Sep. 17, 2017), https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/.)) Equifax itself, through its official Twitter page, has on several occasions inadvertently directed consumers to “visit a knock-off website” mocking the company’s lackluster security practices. ((Dan Goodin, Equifax sends breach vicims to fake notification site, Ars Technica (Sept. 20, 2017), https://arstechnica.com/information-technology/2017/09/equifax-directs-breach-victims-to-fake-notification-site/.))
The question remains, then: how could this happen? How is it that the de facto keeper of vast swaths of sensitive consumer information could have been, and can continue to be, so careless and incompetent? The answer is simple: the consequences of a failure on this scale simply don’t weigh heavily enough to get companies like Equifax to pay attention.
The free market itself is not enough to police failures even of this magnitude. Although Equifax shares had substantially fallen from its pre-announcement price to an incredible low, the shares are already beginning to rebound. ((See Wallace Witkowski, Equifax stock slapped after hack, but analysts say it is a short-term speed bump, MarketWatch (Sep. 8, 2017), https://www.marketwatch.com/story/equifax-hack-seen-as-short-term-speed-bump-by-analysts-2017-09-08.)) Some investors argue that “[o]ne of the best buying opportunities occurs when a company with an impressive track record [like Equifax] suffers a temporary setback that pummels its share price.” ((Mark Hulbert, Opinion: Who has the guts to buy Equifax stock — and potentially make a killing?, MarketWatch (Oct. 13, 2017), https://www.marketwatch.com/story/who-has-the-guts-to-buy-equifax-stock-and-potentially-make-a-killing-2017-10-13.)) Indeed, it is well-recognized that “even the most significant recent breaches [like those at Target and Home Depot] had very little impact on the company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches.” ((Elena Kvochko & Rajiv Pant, Why Data Breaches Don’t Hurt Stock Prices, Harv. Bus. Rev. (Mar. 31, 2015), https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices.))
Where the forces of the free market offer no bite, neither does the law. It is a fact that “lawmakers at the state and federal level have been inexcusably lax about regulating [data firms like Equifax] and any others holding sensitive consumer information.” ((Michael Hiltzik, Here are all the ways the Equifax breach is worse than you can imagine, L.A. Times (Sept. 8, 2017), http://beta.latimes.com/business/hiltzik/la-fi-hiltzik-equifax-breach-20170908-story.html. )) “Only eight states — Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont — impose a firm deadline on how quickly companies must inform consumers of a breach, usually 30 to 90 days after its discovery.” ((Id.)) More importantly, although Equifax “has amassed one of the most extensive and comprehensive databases of consumer financial data” it nonetheless operates free of the same stringent “legal and regulatory oversight that helps bolster data protection” in industries like banking. ((Summer Danzeisen, Equifax Breach Highlights Regulatory Gaps in Data Privacy Protection, Geo. L. Tech. Rev. (Sept. 2017), https://www.georgetownlawtechreview.org/equifax-breach-highlights-regulatory-gaps-in-data-privacy-protection/GLTR-09-2017/.))
Indeed, Equifax is an undeserving beneficiary of a major gray area in the contemporary statutory scheme. The fact that most consumers “do not provide [their personal, sensitive] information directly to Equifax will [make] getting past the pleading (or motion to dismiss) stage even more difficult for some classes of plaintiffs [as] [v]irtually all data breach litigation has been brought by aggrieved consumers who claim they suffered harm after they gave their personally identifiable information directly to a company that got hacked.” ((Brenda R. Sharton & David S. Kantrowitz, Equifax and Why It’s So Hard to Sue a Company for Losing Your Personal Information, Harv. Bus. Rev. (Sep. 22, 2017), https://hbr.org/2017/09/equifax-and-why-its-so-hard-to-sue-a-company-for-losing-your-personal-information.)) Until the gap between the magnitude of responsibility companies like Equifax hold and the consequences of failure is minimized—through detailed legislation or otherwise—we need only wait for news of the next big breach.
Latest posts by Kevin Kenney (see all)
- Amazon and the Uncertain Future of American Healthcare - April 9, 2018
- Equifax and the Unsustainable Status Quo - February 20, 2018
- The Bayer-Monsanto Merger – Antitrust Concerns and What’s at Stake - January 11, 2018