143 Million Personal Data Exposed, These Lessons Learned From The Worst Data Leak Case
September of 2017, United States citizens were surprised by the hacking of Equifax, the company’s providers of reports and credit scores. A total of 143 million credit card user data was exposed, which includes the cardholder’s name, social security number, birth date, address and driver’s license number.
The attackers exploited a flaw in a web application tool called Apache Struts. The defect is already known by the company before the attackers took advantage of it. However, they failed to take any preventive action.
According to The Wall Street Journal report hacking had started since March before it was finally detected on July 29. Around May to the end of July, attackers managed to access the company’s sensitive information. Even after it was detected, the company delayed the move to take the app offline.
This attack was a straight attack to the company’s identity as a global company that manages and protects hundreds of millions of credit card user data. Equifax case is very possibly the worst case of personal data leak. However, Equifax was not the only company. Yahoo, Verizon, and HBO had all been hacked in the past, but the level of personal data leakage was still limited unlike Equifax and the damage suffered mostly could still be solved with only a new password or a new credit card number.
Leaking personal data of credit card users is very dangerous because the attackers could have used it for illegal activities. The most questionable thing around the Equifax’s case is ‘ Why did not the company act instantly when it found the vulnerability? Why the company delayed the action after detecting a hack? ‘
The important lesson we can learn from Equifax case is companies that store sensitive data in their systems, should be expecting to be targets to attackers in search of data that can be used for illegal activities. Thus, proactive approaches to their cyber security are essential.
Equifax was definitely aware about the issue, but they did not immediately take action when a flaw was found and even delayed the action when they detected the hacking. Addressing the problem as soon as possible when it was found is a very crucial step. Cyber security is not just an IT division matter, but it is a business risk for the company.