A couple of weeks ago I had lunch with another information security professional. We debated whether or not the Equifax breach would change executive attitudes about information security. Despite notable security breaches like Target, Home Depot and Heartland Payment Systems, the long term stock price impact has been minimal for companies that suffer breaches. Furthermore, security and privacy laws in the United States lag behind those in Europe, Canada and other parts of the world. The fact is, there have been little or no consequences for companies that fail to protect sensitive customer information, so security often takes a backseat to revenue generating corporate initiatives.
To be fair, the Target breach was a game changer for the information security industry. It was the first breach where multiple high-level executives, including the CEO, were fired. The Target breach moved the needle toward a more active approach from the C-suite. Since then, breaches have come and gone with only temporary impact to company value and minimal government action. I believe the Equifax breach is different, however. Here's why:
The threat actor(s) used the Apache:Struts2 vulnerability (CVE-2017-5638) for the initial exploit. A patch for this vulnerability was available back in March. In the weeks since the breach, Brian Krebs reported that Equifax was using "admin" for their administrator password as well. We also discovered that Equifax suffered a separate security breach in March. Apparently, they did not tighten up their security posture after the initial breach. If this is like other breaches, more revelations will come, but even what we know at this point constitutes gross negligence.
Unprecedented Consumer Impact
Over 143 Million consumer records were disclosed. This has prompted calls for new laws, congressional investigations and legal actions from over 40 states. Not to mention 23 separate class-action law suits. Social Security Numbers, Birth Dates and other sensitive information were disclosed. This puts nearly half of the US population at risk of identity theft, stolen tax refunds and other threats. As consumers are compromised, the blame will fall squarely on Equifax, tarnishing its reputation even further.
In the days following the breach it was announced that CIO, David Webb and CSO, Susan Mauldin had "retired", effective immediately. Today, we learned that Richard Smith, Equifax's CEO has also "retired", effective immediately. By all indications, Richard's career had been stellar prior to the breach. So far, three executives have lost their jobs as well as their professional reputations. I suspect there will be a further house cleaning before the dust settles. As with the Target breach, which was also a game changer, the sudden end to executive careers is being noticed in executive suites.
Aside from FTC and criminal investigations, congress is planning hearings. The question is, whether there will be new federal or strengthened state laws resulting from the breach. The only federal statute that applies to this type of breach is the Gramm-Leach-Bliley act, but every state with the exception of South Dakota and Alabama have breach notification laws. Given the fact that sensitive consumer information was available to threat actors for at least two months before Equifax disclosed the breach, I expect to see states tighten the notification requirements. We may also see a strengthening of federal law, but I'm not holding my breath.
It is estimated that the losses resulting from the Equifax breach will be $20 Billion. Given the fact that Equifax's market capitalization is now less than $13 Billion, the company's future is in question. The company lost approximately $6 Billion in market value immediately following the breach. The stock price has made modest gains since the breach was announced, but is still under pressure. Given the legal costs, fines and brand damage, Mark Grossman, a Technology Attorney who was interviewed by CNBC shortly after the breach was made public, predicted that Equifax will not survive the fallout.
I'm not sure that I am ready to predict Equifax's demise, but this breach will certainly have a negative impact on the company for years to come. At a minimum, I see the Equifax breach as a wake up call for executives in companies that process consumer or other sensitive third-party data. Given the fact that top executives have already lost their jobs and the legal actions have only just begun, I predict that C-level executives will make security a higher priority. I'd like to know your thoughts. Please leave a comment below.