143 Million Personal Data Exposed, These Lessons Learned From The Worst Data Leak Case
In September of 2017, United States citizens were surprised by the hacking of Equifax, the company’s provider of reports and credit scores. A total of 143 million credit card user data was exposed, which includes the cardholder’s name, social security number, birth date, address, and driver’s license number.
The attackers exploited a flaw in a web application tool called Apache Struts. The defect is already known by the company before the attackers took advantage of it. However, they failed to take any preventive action.
According to The Wall Street Journal report hacking had started since March before it was finally detected on July 29. From May to the end of July, attackers managed to access the company’s sensitive information. Even after it was detected, the company delayed the move to take the app offline.
This attack was a straight attack on the company’s identity as a global company that manages and protects hundreds of millions of credit card user data. Equifax case is very possibly the worst case of a personal data leak. However, Equifax was not the only company. Yahoo, Verizon, and HBO had all been hacked in the past, but the level of personal data leakage was still limited unlike Equifax and the damage suffered could still be solved with only a new password or a new credit card number.
Leaking the personal data of credit card users is very dangerous because the attackers could have used it for illegal activities. The most questionable thing around Equifax’s case is ‘ Why did not the company act instantly when it found the vulnerability? Why did the company delay the action after detecting a hack? ‘
The important lesson we can learn from the Equifax case is companies that store sensitive data in their systems, should be expecting to be targets to attackers in search of data that can be used for illegal activities. Thus, proactive approaches to cyber security are essential.
Equifax was definitely aware of the issue, but they did not immediately take action when a flaw was found and even delayed the action when they detected the hacking. Addressing the problem as soon as possible when it is found is a very crucial step. Cyber security is not just an IT division matter, but it is a business risk for the company.
Photo by Freepik