Learning from Equifax’s Cautionary Tale

Posted on 17 November 2019

In 2019 – and during Cyber Security month, no less – we were all served with a cautionary tale when further details around Equifax’s breach surfaced, two years after the breach initially made headlines. The organisation has undoubtedly learned some hard lessons from this, but what can the rest of us learn?


Although it’s over two years old now, the data breach that Equifax experienced in 2017 is still considered to be one of the worst of all time – and it continues to make headlines because of this.

The breach exposed the highly sensitive information of 147 million people globally, including their personal addresses and social security numbers. As a result, the billion-dollar finance company was fined a whopping $700 million, with $425 million of that going to affected customers in the form of compensation.

At the heart of the matter, it seemed like failure to patch a web server – a basic error in itself – was the cause of the data breach. Thanks to a 2019 class action lawsuit, additional information emerged, hinting that the crisis ran much deeper than first thought. Here’s what happened.


The Password isn’t “Password,” But it Might as Well Be

To make the shock and awe of a data breach of this magnitude just a little worse, the filing in the U.S. District court showed that Equifax was housing sensitive personal information on a system with insecure credentials. Yes, you guessed it: the username was ‘admin’, and the password was… also ‘admin’.

According to the class action lawsuit, this was “a sure-fire way to get hacked” and it’s hard to disagree. But wait, it gets worse. The lawsuit also points out that Equifax stored unencrypted user data on a public-facing server, leaving everything open to any attacker that chooses to compromise said server.

Equifax also failed to encrypt its mobile applications, and on top of this, in the instances where it did encrypt data, it left encryption keys on the same public-facing server – which is pretty much akin to leaving the combination of a safe next to the dial.


Trust Issues

Even in a case this size, it’s remarkable that two years after the breach, more details emerged – further eroding what is left of customer trust in the Equifax name.

Compounding this is the firm’s inability to meet the $20,000 pay-outs customers were expecting, with many unable to get even $125. Instead, free credit monitoring has been offered as compensation, but with trust at an all-time low, it’s hard to imagine many taking Equifax up on the offer.

If there was ever proof needed that poor cyber security practices can devastate a brand’s reputation and revenue, this is it – but the devastation isn’t just limited to the likes of Equifax and other Wall Street/Silicon Valley staples. Every organisation is at risk, and every organisation has the chance to learn from lessons such as these and mitigate that risk.


Three Steps to Take Today

1. Demand Strong Passwords

If there’s one main lesson to learn from this mess, it’s the most basic of all: strong passwords should be mandatory. Adopting a strong password policy throughout your organisation is the first line of defence – it goes without saying that “password” and “123456” aren’t good enough, so ensure your employees are using long-line pass phrases with numbers and special characters woven in, and that passwords are regularly updated.

2. Try Single Sign-On (SSO)

To guard your corporate data from sophisticated hackers, you’re going to need to take your authentication to the next level, and for this, you need Single Sign-On. With SSO, users only have to enter one set of credentials to access their web apps in the cloud and behind the company firewall. Our partners OneLogin specialise in SSO, and their IAM solutions are a great step towards building trusted experiences for your workforce, customers, and partners.

3. Introduce Multi-Factor Authentication (MFA)

Another great way to strengthen your log-in processes is to introduce Multi-Factor Authentication into your business. You may have heard of 2-Step authentication, but MFA takes it several steps further, offering users a multitude of different ways to log in, including sophisticated biometrics, SMS, pin codes, and more. As a Microsoft Gold Partner, we’re perfectly positioned to help you facilitate MFA in your organisation, with the help of Microsoft’s sophisticated solutions.


If you’d like to know more about how SSO and MFA can help you avoid expensive data breaches, please get in touch with a member of our dedicated team.

A few people we've already done it for