The fallout from the Equifax hack that affected 145.5 million people can provide valuable lessons to prevent similar incidents before they happen, both by Equifax itself and the industry at large.
The number of affected people was earlier placed at 143 million but the number increased to 145.5 million or by 2.5 million, according to a statement Equifax posted on October 2, 2017 in its website.
Equifax said in the statement:
“The completed review determined that approximately 2.5 million additional US consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.”
Madiant, the company hired by Equifax to investigate the breach, earlier said it happened from May to July this year.
A public relations issue?
Equifax’s admission that an additional 2.5 million people were affected by the breach does little to save its public image, especially if one takes into account that its executives dumped their stockholdings right after the breach was discovered.
The Equifax breach can provide valuable lessons on how the industry can avoid costly mistakes. In addition to the public relations problem stemming from the breach, Equifax is facing a $70 billion lawsuit.
Detecting problems moving forward
There were initial reports that a defect in Apache Struts may have caused the breach, but no official findings from Equifax can confirm that yet.
Paulino do Rego Barros Jr, interim CEO, states:
“The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States.”
With Equifax not yet disclosing definite findings on what caused the breach, analysts and experts from marketing, as well as security experts are looking into what other security measures (i.e better VPN security and disaster recovery) should have been in place to prevent another Equifax incident in any other organizations.
With that view in mind, perhaps the analysts and experts must strongly consider detecting the problem before they happen.