Equifax: The fallout continues

By Srii Srinivasan, CEO of Chargeback Gurus

There is no way to overstate how bad the Equifax breach was. Even though it was announced during the same month as mega-breaches from SEC and Deloitte, this one stands out. The consumer records of over 145 million people were stolen and, as Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse puts it, we’ll be feeling the effects for “essentially a hundred years, until everybody is dead that was exposed by this breach.”

Equifax is one of three major consumer credit reporting agencies based in the U.S., aggregating the personally identifiable information of over 800 million consumers and 88 million businesses worldwide. According to Equifax’s own statement, the data mining began in mid-May but wasn’t discovered until July 29. By then it had become one of the biggest data breaches in history.

To point is that this data breach affects everybody. Even if your business wasn’t one of the millions that had their information stolen, the odds are more than likely that some of your current customers were affected, and now all your future customers are also at risk. This breach is a wakeup call for companies of all sizes to take cyber security seriously, but if you’re one of the millions of small to medium-sized businesses (SMBs) you need to take extra care. SMBs are considered an “easy target” by hackers and fraudsters – case in point: half of the 30 million SMBs in the U.S. have been victims of cyber security breaches according to a report from the Ponemon Institute – and especially in the wake of the Equifax breach, ignorance  is no longer an excuse.

Here are the key lessons to learn from this experience:

  1. Only you can prevent security breaches.

Equifax has been widely criticised for the security breach and has been the subject of numerous lawsuits in the aftermath. This is because, by their own admission, they were aware of the vulnerability and a patch had been available as of March, two months before the data breach began.

It’s symptomatic of a larger problem throughout the payments industry: companies don’t take data security seriously enough. By not patching a known vulnerability, Equifax did what many companies have done in their position – they put security on the backburner until it was too late. Consumers and companies alike, no matter how often they hear stories about identify theft and data breaches, often think “it couldn’t happen to me!” – until it does.

If it can happen to companies as large and resource-rich as Equifax, Deloitte and SEC, it can happen to anybody. Organisations of all kinds need to assess (and reassess) the measures and mechanisms maintaining their data security. The latest upgrades, patches and best practices need to be applied in real-time. There is no excuse for delay.

  1. Honesty is the best policy.

When Equifax discover the breach on July 29, they were well aware that it was caused by their failure to patch a known vulnerability. As if that wasn’t bad enough, they then waited a full six weeks before disclosing the breach. During those six weeks, the personally identifiable information of 145 million consumers was in criminal hands, but those people had no way to know it. It’s impossible to quantify the amount of damage that could have caused.

As much as this incident was a major security problem for Equifax, it was also a major PR problem. The outrage would not have been so severe if they hadn’t waited six weeks to disclose the breach.  Beyond prevention, businesses also need to develop a robust plan for dealing with a security breach that involves notifying stakeholders as soon as possible and making amends for the problem.

  1. Nobody is safe from fraud.

Doing business just got a whole lot riskier. Everyone directly affected by the breach is going to be at risk of credit card fraud and identity theft for the rest of their lives, which means that it’s that much more likely for SMBs to be hit with fraudulent transactions. Because the Equifax data breach includes everything from card data and social security numbers to drivers license numbers and addresses, it’s going to be harder than ever for online merchants to tell the difference between a fraudster and a legitimate customer. It’s time to double down on security and customer verification, but also be prepared for more chargebacks.

  1. Be proactive.

Everything is going to change. Quite frankly, the three major breaches announced in September are probably only one small piece of the pie. It’s likely that there are other security breaches happening as we speak that we just don’t know about yet. But if there is one silver lining, it’s that the Equifax breach has made people very angry. It has inspired lawmakers to reevaluate how to hold organisations accountable for failing to protect consumer information – and putting the entire payments industry at risk as a result – and it has reminded businesses to take cybersecurity seriously. All companies, SMBs and high-risk merchants especially, need to be proactive, forward-thinking and prepared to adapt to a changing security, legislative, and technological landscape.

Srii Srinivasan, CEO of Chargeback Gurus, is an industry veteran at minimising chargebacks and fraud for card-not-present transactions.