One of the biggest consumer credit reporting agencies in the United States is learning a harsh lesson. A massive breach that affected personal information of 143 million U.S. consumers has led to the forced retirement of Equifax’s chief information officer and chief security officer, a 13 percent drop in market valuation, several class action lawsuits and a deterioration in public trust.
Equifax, which collects and aggregates information on over 800 million individuals and more than 88 million businesses worldwide, reported a major breach on Sept. 7, months after it reportedly noticed “suspicious network traffic” associated with its U.S. online dispute portal web application.
143 million customer records leaked
The incident compromised the personal information of 143 million U.S. consumers, including names, Social Security numbers, birth dates, addresses and driver's license numbers. Credit card numbers for approximately 209,000 consumers, and certain dispute documents with personal identifying information for approximately 182,000 consumers, were also accessed. Equifax reported unauthorized access to personal information for certain U.K. and Canadian residents as well.
Equifax handled the breach poorly, attracting public outcry and numerous lawsuits. Law firm Geragos & Geragos, for instance, seeks up to $70 billion in damages for its clients. If successful, it would be the largest class-action suit settlement in the history of the United States, according to the firm.
The company is also facing a criminal probe after three executives sold stock worth a cumulative $1.8 million before disclosing the breach. The company’s market valuation dropped 13 percent in early trading the day following the announcement.
As a result of the breach, two executives at Equifax immediately lost their jobs – specifically, Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. They are being replaced by Mark Rohrwasser, who joined Equifax in 2016 and has led Equifax International IT operations, and Russ Ayres, who served as vice president of IT at Equifax and has now been appointed to the CSO position on an interim basis. Ayres will report directly to the CIO.
The modern CIO’s role on cybersecurity
While the chief information officer has traditionally owned IT security (which includes the data-focused information security and the malware-centric side of cybersecurity), experts agree that cybersecurity has become a much larger part of today’s CIO agenda in recent years.
“The CIO must act as a steward for the data and ensure that the right controls and processes are in place for data security,” according to security rating firm BitSight.
At the same time, the CIO must “facilitate the cybersecurity awareness of end users or for those managing applications or analytics,” according to a list of roles and responsibilities for the CIO regarding cybersecurity.
Most often, it is this crucial aspect that leads to major data breaches. Sometimes, it only takes a single vulnerable terminal or an unwary employee opening a phishing email for a database to be compromised.
“The CIO must ensure that the right controls are in place and the right tools to mitigate cybersecurity risk are in use,” the list continues. “The CIO must be able to appropriately benchmark cybersecurity and leverage frameworks like NIST or ISO 27002/1.”
The non-regulatory US National Institute of Standards and Technology, or NIST, is a measurement standards group with the mission to promote innovation and industrial competitiveness.
Finally, the CIO must also enforce and manage cybersecurity controls for vendors, ensuring they are vetted appropriately.
Cyberattacks give rise to chronic fear of getting fired
In a survey of 250 IT decision makers in the United States in companies with more than 1,000 endpoints, Bitdefender found that 73% of IT decision makers fear the financial compensation the company might have to pay after a security breach, while 66% voiced fears about losing their own jobs. If the Equifax breach is any indication, IT decision makers have every reason to start facing these fears and beef up cybersecurity.
According to the same survey, the main cyber threats companies are ill prepared for are: outsider attacks (43%); data vulnerability (38%); insider sabotage (35%); user errors (35%); and phishing (35%).
The mounting pressure of cyber breaches in the past few years has led CEOs to consider CIOs as among the most important C- level managers, next to COOs and CFOs in decision-making strategies, and has made security a board-room topic.
However, even though nine in 10 IT decision makers consider security a top priority for their organizations, most agree that the budgets to deliver efficient IT security policies are lower than they should be.