According to wsj.com (paywalled), Equifax had already suffered a data breach before the data breach that made the company famous around the world. In 2015, two years before the hack that started with a bang and ended with less than a whimper, “Chinese spies” made off with “thousands of pages of proprietary information” that includes code, HR files, and manuals.
For many, the use of the word spy in this context will set off visions of Chinese Matt Damons pulling a The Departed (or as they say in that neck of the woods, “Dee Dee-paaaah-ted”). In actuality, the breach appears to be unremarkably mundane: people being bribed with jobs and salary increases to walk out with proprietary information. It’s the kind of thing that happens all the time. For example, that’s Google’s beef with Uber.
Why Are We Hearing About It Now?
The US has a fractured mishmash of laws and regulations when it comes to data breaches, information security, and data privacy, instead of a comprehensive law. What this means is that Equifax’s 2015 breach was not made public (legally) because it didn’t involve personal information – at least, not in the way we think of it.
HR files must, by definition, include personal info. However, these would be employee records, not consumer records… and the laws and regulations that have been passed so far, for the most part, involve consumer records or a variation thereof. It’s the reason why, for example, HIPAA kicks in when patient data is put at risk but not when nurse and doctor info is stolen.
As mentioned before, the breach was not made public earlier. This does not mean, however, that Equifax just sat on it. They did contact the FBI and they did carry out an investigation. That the company decided not to go public is understandable and entirely within their legal right. It should also be noted that going public in this instance wouldn’t have helped out anyone: the message would essentially be “your employees could steal from you!!” Everyone knows this already. It might have mattered more if, for example, the message was “change your default passwords immediately!”
But, in light of the hack that occurred two years later, it does raise questions.
Lessons Not Learned
Earlier this month, the US General Accounting Office released a report on the 2017 Equifax data breach, aka, The Big One. Per fortune.com, the report:
summarizes an array of errors inside the company, largely relating to a failure to use well-known security best practices and a lack of internal controls and routine security reviews.
“Lack of internal controls and routine security reviews.” You’d think that a company that suffered a guy walking off with the company’s secret sauce to a potential competitor would have done something regarding internal controls and routine security reviews. That these were lacking in the two years bookmarked by the two data breaches speaks volumes of what Equifax thought was important.
Thankfully, it looks like perhaps the credit reporting agency is finally taking data security seriously. But then, with everyone looking and keeping track of what they’re doing, it’d be a bad idea not to.
Related Articles and Sites: