Equifax Hacked before GDPR and what was considered a ‘large’ fine for such a big breach!

Updated: Apr 13, 2020

Prior to GDPR the security ombudsman of UK is pushing to give a penalty to programmers a 660,000 fine to Equifax for redirecting information of 15 million Brits from databases of the credit score agency. Had this happened after May 2018 when GDPR was in place the fine would have been much bigger?

Equifax violated the security privacy of the British Nationals and a huge price has to be paid in accordance with the country’s Data Protection Act.

Equifax, an American business, was breached in 2017 when an IT staff failed to set up a patch which led to cybercriminals gaining access to the millions of personal data from Americans and Brits.

These records included names, phone numbers, dates of birth, as well as driving permit numbers. Furthermore, Brits also had their Equifax account email addresses, while others had their names, addresses, dates of birth, account usernames as well as plaintext passwords, obscured credit card numbers, and recovery secret question and answer stolen by hackers.

This information was stored in an archive that they call “standard daily fraud from the production data and held in a document that can only be accessed by the IT staff and system admins. Because of this, it was easily available to hackers. Strangely enough, the report was constructed on a regular basis for Equifax’s fraudulence research staff to employ for searching accusations of credit card frauds.

Scammers entered Equifax’s units between May 13 and July 20, 2017, even though the business was cautioned in March that year by US Homeland Security that it’s IT system was unsafe. It was practically informed the organization that its Struts 2 structure had a remotely exploitable protection hole (CVE-2017-6538 ) in it.

Because of inadequate internal procedures as well as auditing, the software program wasn’t patched. This enabled intruders to tiptoe via the hole, and into the US-based system . Homeland Security’s warning was transferred via the ranks in Equifax. Nevertheless, its system admins failed to recognize its public-facing client dispute-handling site operating the Struts 2 structure required upgrading. Therefore it had been left unpatched.

Miscreants were digging around Equifax’s unsafe programs as early as March 10, before the May incursion. The organization had set up the device to examine system traffic for suspicious activity – including scumbags syphoning off a hundred and fifty million client account – in spite of this, IT personnel were unsuccessful for several months to renew a digital certificate for the equipment, which means encoded connections were not scrutinized. Hence, the criminals were able to smuggle out the information over an encoded route without causing any alarms.

On July 29, with the certification updated, the US region of Equifax discovered it was hacked, and in late August figured out British people were affected, as well. Its IT employees were forced to rerun, on test installations, the data source queries operated by the hackers to determine what was recovered, which took some time to establish.

On September 7, that year, the US side informed its UK-based Equifax Ltd the terrible report, and a day after, that subsidiary confessed to the ICO that it was pwned – at first stating less than 400, 000 Brits were affected, then pushing that figure to 1 .5 million before ultimately upgrading it with an additional zero.

The ICO probed the computer protection breach incomparable with the UK’s Financial Conduct Authority, before deciding on giving out the highest fine possible at the time.

According to Elizabeth Denham, the information commissioner of Blighty’s, not having personal information is both upsetting to customers and undermines consumer trust in digital commerce especially when there is a possibility of financial fraud. Albeit, she stated that Equifax deserved the penalty that they received under the 1998 legislation especially after compromising the data of a lot of its customers. Furthermore, she also stated that Multinational data companies such as Equifax should give importance in data protection and take precautionary measures to prevent breaches to meet both the legal and their customer’s expectations. With this, she said that the company showed negligence on their part which led to the fines.

Equifax made a $587 million profit in 2017 from revenues of $3.4 billion.

Equifax addressed the issues stating that they cooperated with the ICO during the investigation and how they were commended for their broader range measures to prevent the criminal attacks from happening again as stated by the ICO. They also stated how they were disappointed with the findings and penalty but also apologized for the cyber attack particularly to those who were put at risk.