A senator, a congressperson, and a House congressional committee have all publicly condemned it. Words like “unprecedented,” “outrageous,” “worst ever” and “literally everyone should sue” have described it. But what is it? What is happening?
It’s not a hurricane; it’s a hack. Credit-report company Equifax reported on Thursday a massive breach of consumer data that has left pundits, and the public, shocked. The sensitivity of the data, and the scope of the hack, contribute to the severity.
Almost half of the U.S. population is affected, some 140 million people. The stolen data comprises not just credit card numbers but driver’s licenses and Social Security numbers. A stolen credit card can be canceled. Conversely, your identity cannot.
That’s why this particular hack, focusing on this type of data, feels worse than the rest. Here’s how the Equifax disaster stacks up against the recent high-profile hacking trend.
What’s more, Equifax didn’t even know the hack was happening—not for months.
Equifax claims it found out about the hack in late July. (Even though they only reported it to the public this week.) What’s doubly concerning, though, is that Equifax says criminals penetrated their network, and thus had access to consumer data, as early as mid-May.
Here’s what that means: Hackers had penetrated their networks, and were stealing sensitive data, for over a month before Equifax even knew about it!
This is the equivalent of a criminal hiding in your closet, waiting. For Equifax, their worst fears came true. Yes, there was someone in the house, the whole time. Watching. Lurking. And Equifax didn’t have a clue.
This kind of hack, and the resultant delay, is catastrophic. An insidious, far-reaching attack, similar to this one, is a sign of structural security flaws in your organization and your information systems. And those flaws beget consequences.
You are powerless to stop what you don’t even know about
If your organization doesn’t find out about a hack until over a month later, and then doesn’t, or can’t, mobilize to counteract it until several more months after that—your customers’ data could be who-knows-where, in the hands of who-knows-who.
This lack of visibility, and inability to react, is negligent—criminally so. Knowing nothing, and doing nothing, can lead to:
- A loss of credibility
- A loss of profit
- A loss of business
- Jail time
You’re only as good as your weakest point of entry
The New York Times reports that hackers captured “the company’s crown jewels through a simple website vulnerability,” noting that Equifax had experienced previous breaches but did nothing to remedy their weak points.
Here’s where Equifax’s problems become universal. Vulnerability is a sticking point for every organization, because every organization, to varying degrees, is flawed by design. VPN log-ins, unsecured Wi-Fi networks, phishing scams, honest mistakes, human error—these vulnerabilities add up. Almost every organization, for example, that deals in personal data has a website. Thus, almost every website will be targeted. The incentives for hackers are just too great.
The bottom line is, this could happen to any business. It could happen to yours. In fact, like with Equifax, it’s possible it’s already happened to you—and you just don’t know it yet.
The exposure encompasses multiple levels
There are so many point of entry in a given network for hackers to exploit. Without multilayered and comprehensive security, you’re vulnerable. It’s the equivalent of leaving a window open in your home. Here’s how you close your proverbial windows:
- Scan for vulnerabilities—automatically and constantly
- Establish layers of security
- Standardize best security practices
- Emphasize organization-wide accountability
In a hospital, the best way to prevent disease is hand washing. Everyone does it, from the doctors to the orderlies, and it’s embedded into the daily workplace routine. With cyber security, the principle holds. To protect your customers’ data, you have to make data security integral, paramount, and part of the routine.