The breach at credit bureau Equifax, which began almost exactly two years ago and lasted for 78 days, is making the headlines again.
Credit rating agency Moody’s has cut its rating outlook for Equifax from ‘stable’ to ‘negative’ due to the severe financial fallout of the hack in 2017, according to a CNBC report. The breach has cost the company some US$1.4 billion so far, excluding legal fees.
Moody’s decision is notable especially because it marks the first time that the cost of a security incident has prompted the agency to change a firm’s rating outlook. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change,” Joe Mielenhausen, a spokesperson for Moody’s, was quoted as saying.
Arguably, however, the downgrade didn’t come out of the blue. Moody’s itself sent a clear message to boardrooms in November 2018 when it announced that its rating outlooks would begin to take account of risks related to cyberattacks.
A tale of woe
Two years can be a long time, so let's recall how the breach earned Equifax a place in history books.
At its simplest, the incident was facilitated by a critical vulnerability in the Apache Struts web application framework for which a patch was issued on March 6, 2017 but which Equifax failed to install in time. Fast forward to May 13, 2017 and hackers begin to roam the firm's network in a breach that wouldn't be discovered until July 29, 2017.
And it wasn’t until September 7 of the same year that Equifax disclosed that attackers had siphoned extensive personal data on half the US population, as well as hundreds of thousands of Canadians and Brits. The tally was later increased twice, finally coming in at data on nearly 148 million people.
The bulk of the criticism that Equifax has had to weather has to do with the firm’s lax cybersecurity practices. While the firm’s former CEO Richard Smith blamed the breach on the failure of a single person to deploy the patch, investigations found this to be merely a sign of a much deeper problem.
For example, a report that a US Senate committee released last month says that “Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness”.
Another scathing report, drafted by a House of Representatives committee and made public in December 2018, is well worth the read as it also provides unique insights into the circumstances that surrounded the incident.
Meanwhile, the thief or thieves remain unknown and the stolen data is nowhere to be found. CNBC recently reached out to a team of security experts, dark web data hunters and people involved in the investigation of the breach, who found that, contrary to what one would expect, the data has never turned up for sale in the internet’s dark recesses, nor does it appear to have been used for identity theft or scams.