On September 7th at around 4 pm, reports came out in the media that one of the three national credit reporting agencies – Equifax – had disclosed a large data breach. Estimates so far is that it has impacted approximately 140 million consumers. It has the potential to meet or exceed the JP Morgan Chase data breach from 2014.
Given the number of shares, re-shares and likes on social media, this is clearly big news. And while this piece focuses on the risks and what we can learn as vendor managers and risk professionals, there are some practical steps that we’ll highlight.
Details on the Equifax Breach
It’s easy to point fingers at a large national vendor when something like this occurs. Over the course of my career I’ve had the opportunity to visit with Equifax and have been most impressed with their operation.
They are a victim of their success in the sense that since they're one of the three main credit reporting agencies, they hold an enormous amount of confidential private consumer data. A data breach at a CRA wasn’t a matter of IF, it was always a matter of WHEN.
Here are some of the big details:
- The actual data breach incident seems to have taken place between May and July of this year. Equifax discovered the breach on July 29th and disclosed it on September 7th. During this time, Equifax has worked with outside specialists to review the breach and also have been working with law enforcement agencies.
- As vendor managers, one item we look at is the financial health of a company. In the case of Equifax, on September 1st, the stock traded on the NYSE around the $142.00 mark. Just one week later, the stock fell just under 14 % to $123. That’s a significant drop in price considering that the stock has traded consistent for the last 8 months over $135. Even as we write this piece, media reports suggest that there is a suspect in trading Equifax options which stand to generate millions in profit. Is there a link? Time will tell.
- Republican, Jeb Hensarling, the chairman of the House Financial Services Committee, announced a hearing to review this incident. The date of the hearing is yet to be disclosed but again raises the issue of regulatory oversight at the highest level.
- Given the enormity of this breach, Equifax will be dealing with:
- Reputational fall out - data breach media is never good media.
- Financial health and investor confidence will potentially take a hit.
Remember, this isn’t the first time that Equifax has experienced negative news. Earlier this year, the CFPB levied a multi-million dollar fine for misleading credit advertising standards. While this was big news in February, it could be considered a mere splinter compared to the fallout from a large data breach such as this.
Regardless of if you are in the middle of a lending transaction today or not, if you have had your credit pulled or use a credit card, there is a likely chance that the data was being stored by the 3 CRA’s.
Positive Action for the Consumer
Luckily, Equifax created a special site for consumers to check if their data was included in the breach.
The website is: www.equifaxsecurity2017.com. From here, the user can check on impact.
To get started...
1. Enter your last name and the last 6 digits of your SSN.
2. After verifying that you are not a robot, click Continue.
3. After the system runs your info, you will receive a Thank you message which will indicate if Equifax believes your information has been impacted or not.
4. If this is the case, you are invited to enroll in a credit monitoring service. Due to the number of impacted consumers, the website invites you to return to the site to continue the registration procedure.
Note there are no other reminders so the user must take note of the directions and set the date to return to the website.
There is also a dedicated customer service hotline which is open from 7am ET to 1am ET. The dedicated phone number is (866) 447-7559.
In addition, Equifax has stated that it will offer free identity theft protection for all US consumers at no cost.
To remain vigilant, consumers are advised to review their credit by visiting www.annualcredit.com. This will allow the consumer to request a copy of the credit report from all three CRA’s Experian, TransUnion and Equifax.
What Does All This Mean for Equifax?
It’s too early to say the ramifications of this incident. Tough questions will need to be asked. Penetration and Vulnerability testing along with remediation and reinforcement of security will undoubtedly be reviewed. The cost of this could easily reach hundreds of millions of dollars.
Regulators and board members will look to Rick Smith, CEO and Chairman of Equifax, for answers.
Relationships and partnerships may come under scrutiny - Equifax is a leading vendor who was approved by FNMA and the Day 1 certainty program. Other core systems, which may have integrations with Equifax to access information, may begin to seriously look at connections and any weak links in their own cybersecurity controls and assess whether attackers have used those connections as an entry point to their networks. Controls surrounding the flow of data should be reassessed to ensure the least amount of access is permitted between networks and all access has a business reason.
Moving Forward – What Should You Do?
As vendor managers, you absolutely need to perform annual due diligence or even pre-due diligence during the pre-contract stage. And, it’s important for us to remember that vendors such as Equifax require specific levels of oversight. This is also a reminder that even if the vendor is a well-known company, you still need to look into them.
This requires SME’s who can look for those red flags which may not be readily identified by the generalist. Cybersecurity tools in the form of software and supported by analysts are better able to identify the risks involved.
Rick Smith said it best in his address on the Equifax website: "Cybersecurity threats are on the increase daily. We have invested heavily in cybersecurity and we have more to do."
I share this sentiment and recommend that as vendor managers who have the responsibility to provide oversight to these critical vendors, that we invest heavily in the expertise to protect not only our consumer data but the financial institutions we represent.
Venminder can assist in cybersecurity efforts. Download a free sample Vendor Cybersecurity Analysis or free Vendor Cybersecuirty Rating Analysis sample on your core provider.