By Srii Srinivasan
There is no way to overstate how bad the Equifax breach was. Even though it was announced during the same month as mega-breaches from the SEC and Deloitte, this one stands out. The consumer records of over 145 million people were stolen and, as Paul Stephens, Director of Policy and Advocacy at the Privacy Rights Clearinghouse put it, we'll be feeling the effects for "essentially a hundred years, until everybody is dead that was exposed by this breach."
Equifax is one of three major U.S.-based consumer credit reporting agencies, aggregating the personally identifiable information of over 800 million consumers and 88 million businesses worldwide. According to Equifax's statement, data mining began in mid-May 2017 but wasn't discovered until July 29. By then it had become one of the biggest data breaches in history.
This one affects everybody. Even if your business wasn't one of the millions that had information stolen, it is more than likely some of your customers were affected; all your future customers are also at risk. This breach is a wakeup call for companies of all sizes to take cybersecurity seriously, but if you're one of the millions of small to midsize businesses (SMBs), you must take extra care. SMBs are considered an easy target by hackers and fraudsters: half of the 30 million SMBs in the United States have been victims of cybersecurity breaches, according to a recent report from the Ponemon Institute. Ignorance is no longer an excuse. Following are key lessons to heed from Equifax's experience.
Equifax has been widely criticized for the security breach and has been the subject of numerous lawsuits in the aftermath. This is because, by its own admission, Equifax was aware of the vulnerability, and a patch had been available as of March ‒ two months before the breach began.
It's symptomatic of a larger problem throughout the payments industry: companies don't take data security seriously enough. By not patching a known vulnerability, Equifax did what many companies have done: put security on the back burner until it was too late. Consumers and companies alike, no matter how often they hear stories about identify theft and data breaches, often think it can't happen to them – until it does.
A data breach can happen to anybody. Organizations of all kinds need to assess (and reassess) the measures and mechanisms maintaining their data security. The latest upgrades, patches and best practices need to be applied in real time. There is no excuse for delay.
When Equifax discovered the breach July 29, company executives knew the intrusion was caused by their failure to patch a known vulnerability. As if that weren't bad enough, they then waited six weeks before disclosing the breach. During that time, the personally identifiable information of 145 million consumers was in criminal hands, but the victims had no way of knowing it. It's impossible to quantify the amount of damage that could have caused.
This was also a major PR problem for Equifax. The outrage wouldn't have been so severe if the company hadn't waited to disclose the breach. Beyond prevention, businesses need to develop a robust plan for dealing with a security breach that involves notifying stakeholders as soon as possible and making amends for the problem.
Doing business just got a whole lot riskier. Everyone directly affected by the breach is going to be at risk of credit card fraud and identity theft for the rest of their lives, which means that it's that much more likely for SMBs to be hit with fraudulent transactions. Because the Equifax data breach includes everything from card data and Social Security numbers to driver's license numbers and addresses, it's going to be harder than ever for online merchants to tell the difference between a fraudster and a legitimate customer. It's time to double down on security and customer verification, but also be prepared for more chargebacks.
Everything is going to change. The three major breaches announced in September are probably only one small piece of the pie. It's likely other security breaches are happening as we speak that we just don't know about yet. But if there is one silver lining, it's that the Equifax breach has made people very angry. It has inspired lawmakers to re-evaluate how to hold organizations accountable for failing to protect consumer information – and putting the entire payments industry at risk as a result – and it has reminded businesses to take cybersecurity seriously.
All companies, SMBs and high-risk merchants especially, need to be proactive, forward-thinking and prepared to adapt to a changing security, legislative and technological landscape.
Srii Srinivasan, CEO of Chargeback Gurus, is a veteran at minimizing chargebacks and fraud for card-not-present transactions. She specializes in helping high-risk merchants optimize operations overhead, identify vulnerabilities and reduce fraud and chargeback revenue loss. As a payments, ecommerce and software development expert, Srii leads a team of 120 members delivering the fastest-growing chargeback representment and prevention services in the United States; Chargeback Gurus was named to the 2017 Inc. 5000 list of fastest-growing businesses. A seasoned speaker, Srii is active in the Electronic Transactions Association and consults enterprise businesses on revenue increase, automation and fraud minimization. Contact her at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next