Unfortunately, another major data breach story has been developing recently. Equifax, a major provider of consumer credit scores (based in the USA) has been compromised with the personal information of potentially up to 143 million people being exposed in the period of time between mid-May and July this year.
The data that was accessed included important details such as names, social security numbers as well as driver’s license numbers for some of the profiles that were leaked. In addition to this, a smaller number (approximately 209,000) of credit card numbers were also compromised.
While the compromise of the data in the first place is of significant concern, it is the lack of reporting that is even more worrying. Several months have passed since the breach was identified internally, with several key stakeholders selling off stock during the time frame it was discovered (although it is claimed they were unaware of the breach at the time).The breach was not made public until very recently and while there are legitimate reasons for a breach to not be reported straight away, such as carrying out investigations into the extent of the breach aswell as forensic examination to determine how the breach occured prior to releasing the information, in this incident there was a significantly long delay. This gives the attackers ample time to use the information gained for nefarious purposes or further sell it on for profit without the victims being aware that their data was compromised.
Under the new Mandatory Data Breach Notification requirement (click here for more information) coming in to effect on 22nd February 2018 in Australia, this sort of failure to report a breach would be heavily penalised and as such would be less likely to occur, giving consumers more time to take actions such as cancelling cards or checking for suspicious activity in their name. This is one area that Australia has taken a strong stance on and contrasts starkly with the loose regulations in the US.
Having the proper procedures in place for identifying and reporting a breach are crucially important. The sooner a breach is identified the more likely it is that actions can be taken to prevent the further leak of information as well as inform consumers of the risk and possible actions they can take.
For assistance is developing reporting and monitoring policies and procedures as well as implementing other security functions to help prevent data breaches please do not hesitate to contact Agilient.
The Agilent Team