143 million customer records stolen at credit reference agency

Synopsis

In September 2017, one of the big three credit reference agencies disclosed they had suffered a data breach which exposed personally identifiable information for 143 million US customers along with other customers around the world. The attackers exploited a security flaw on the company's website.

This data breach was breathtaking due to the amount of highly sensitive data effectively handed over to the attackers, including full names, social security numbers, birth dates, addresses and driver licence numbers. It provided almost all of the information that companies use to confirm consumers identity directly into the hands of hostile actors and will remain so indefinitely.

According to senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence, it would not be an “exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans".

A standard precaution advised to data breach victims where financial information is exposed is to monitor your records at the credit reference agencies. According to Avivah Litan, a Gartner Inc analyst who tracks identity theft and fraud “on a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data”.

Other notable aspects to this case was the company's severely criticised "haphazard" incident response and that the breach caused key executives to leave including the CEO and CISO.

In September 2018, the company received a £500,000 fine by the Britain's ICO. The US government blamed the ex-CEO Richard Smith claiming it was his aggressive expansion strategy that led to the breach.

Speak to the analyst

Want to discuss this case? We're offering a FREE 20 minute phone consultation to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:

Analyst

Courtenay Brammar

Experienced global enterprise risk and governance professional. Previously Vice President at Morgan Stanley, Deloitte Risk Advisory practitioner and PRMIA steering committee member in both London and New York.

Additional services

We offer a range of cost-effective, fixed-price training programmes and consultant services derived from the unique insights gained from all our case study data.

If you'd rather we did the heavy lifting in developing a cyber incident response plan or lessons learnt training for your organisation underpined by our unique insight into the challenges faced and strategies implemented by organisations countering today's cyber security threats then please contact us here.

Companies

  • Equifax Inc.

We've done the analysis so you can make the decisions

$489.99
When purchasing a minimum of 5 Case Studies
$699.99 if buying less than 5.

  • Detailed cause & effect analysis
  • Lessons learnt catalogued
  • Preventive controls extracted
Add to Cart
Heads up! Want to try before you buy? You can download our FREE demo case study here