What Lessons Does the Equifax Breach Teach Us?
The Equifax breach of 2017 caused massive ripple effects throughout the financial industry. Here are 3 lessons that we think are important takeaways for financial firms of any size.
We’ve already explained how the 2017 Equifax breach happened. But in case you want the tl:dr version, we’ll give you a brief recap.
Then, we’ll discuss what any organization can learn from the massive Equifax breach.
How the Equifax Breach Happened
In May of 2017, an unpatched software flaw on Equifax’s computer system allowed hackers to access plain-text information on nearly 150 million users. The records breached included names, dates of birth, social security numbers, addresses, and drivers license numbers.
Even more shocking were the missteps Equifax had been taking in their security practices. The investigation into the data breach revealed Equifax simply failed to take basic steps to secure their data.
These three lessons were the most important takeaways:
1. Update Your Software
When you’re using technology, it’s important to ensure that your software remains up to date, especially when it comes to software patches. Not patching your software is a lot like not getting a vaccine:
You’ll eventually regret it.
Despite having some of the most valuable and sensitive financial data, Equifax had gone almost 90 days without updating Apache Struts, which they were using as a Customer Relationship Manager (CRM). If Equifax had kept their software updated, the breach might have never happened.
Keep your software updated, and you’ll appreciate the peace of mind that it brings you and your customers.
2. Use Pass Phrases over Passwords
People have generally terrible passwords. And bad passwords are everywhere. The tech to equip people with better and better passwords is out there. But there are still people who use terrible passwords to secure some of their most sensitive data.
Equifax was no exception. Once the hackers breached Apache Struts, they had to gain administrative access. But this was easy to guess. The username was “admin.”
The password: “admin.”
After the hackers gained admin access, the hackers were able to access a list of all of the employee passwords, which were generated from employee names.
Passwords with random letters and numbers are some of the worst passwords to remember and create. It’s much better to create pass phrases, one that you don’t have to write down, is easy to memorize, and doesn’t use personal info.
3. Encrypt, Encrypt, Encrypt
All Equifax could have done was patch their software and they would’ve never been hacked. Sounds simple, right?
Not exactly. That hacker only had to breach one layer of security to reach the list of passwords.
Those lists of customer data that was stolen, some of the most sensitive financial information in the company, were in plain text files. Those are files that you or I could have opened on our devices without much effort. It’s about as secure as writing your PIN on your credit card.
Had that file been encrypted, it would have been useless to the hacker. Equifax and could have prevented millions of people’s private data from being exposed to the world. And while an alarming number of businesses rely on outside services for encryption, we’ve always said that it comes down to the type of business that you want to run. Is it worth it to keep your encryption in-house, or to trust it to a vendor? The choice is yours, but we’ve already covered how overreliance on vendors can have its own issues.
Final Thoughts about the Equifax Breach
Regardless of how big your business is, we all can take some simple, concrete steps to improve security where we work. With so much riding on our data being secure, complacency and not taking these simple steps can put your business, customers, and employees at serious risk.
By using secure passwords, regularly updating your software, and encrypting important data, you can prevent what happened to Equifax from happening to you.
Subscribe to our blog to learn more about cloud security. Or follow the links below to see what we’ve written about recently!