A year ago this week, the credit bureau Equifax saw signs of a problem on its network. A really big problem. Hackers had entered the company’s systems, stealing the personal and financial data of more than 147 million people in the United States, including Social Security numbers, dates of birth, home addresses, and some driver's license numbers and credit card numbers. Though other breaches have exposed more total records, the Equifax debacle is generally considered the worst corporate data breach ever in the US, because of both the scale and the nature of the information it exposed.
Equifax was also woefully underprepared to handle the fallout, botching both the public disclosure and its effort to make resources available to impacted people. In the months since, the credit bureau has remained fairly quiet amidst class action suits, congressional scrutiny, a Federal Trade Commission probe, and a wave of new state regulations designed to ensure that Equifax substantially improves its security defenses.
As part of this, process the company hired a new chief information security officer, Jamil Farshchi, in February. In a series of interviews, he and other top executives told WIRED that the company has committed to an expansive multiyear effort to transform its corporate and data security approach. The question at this point, though, is whether it could possibly be enough.
Prior to Equifax, Farshchi had overseen information security at high-stakes companies like Time Warner and Visa, as well as government groups like Los Alamos National Laboratory. He's also no stranger to emergency response; Home Depot brought him in to help clean up the company's massive 2014 data breach, which exposed 56 million credit and debit card numbers. But working at Equifax now, Farshchi acknowledges the unprecedented scale of the crisis. "We had one of the most impactful breaches of all time," he says.
In the year since the breach, the company has invested $200 million on data security infrastructure. And Farshchi says Equifax has given him the resources he needs to build a stellar security program.
"One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe," Farshchi says. "I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin' long to push some of this stuff. The barriers you face at any company not post-breach is you're always fighting for budget, you're always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you're in a post-breach environment, everyone already knows that it's critically important."
At a Congressional hearing in October, Equifax's former CEO Richard Smith hinted at the reckless approach to security the company took for years. Smith said that he had only met with company security and IT executives quarterly to discuss Equifax's status—four meetings a year to defend the crown jewels of US consumer data. He indicated that the company's software patching operation was inadequate and flawed. And he even admitted that Equifax's data storage approach didn't involve consistent, robust encryption.
That lax attitude directly resulted in the vulnerability hackers exploited to penetrate Equifax's networks and steal consumer data. The bug was a known web framework weakness; a patch had been available for about two months before hackers entered Equifax's network. The company had failed to apply it, and once hackers were on the network, Equifax's poor data hygiene, permissive access controls, and open network architecture allowed them to grab a priceless trove.
'We had one of the most impactful breaches of all time.'
Equifax CISO Jamil Farshchi
"The first step has been to stop the bleeding," Farshchi says of his work since starting with the company. "We have to harden the perimeter and make sure that we do not have any more weaknesses up front." At the beginning of a breach remediation process, prioritization is the toughest challenge, Farshchi says, since so many improvements and initiatives merit attention. So he emphasizes fundamentals, and completing baseline essential projects first.
That includes improving processes for patching, vulnerability management, and certificate management. Another primary priority has been strengthening access control protections and identity management across the company. By keeping systems more siloed, Equifax can minimize the free-for-all of unneeded access that adds exposure and risk. Additionally, Farshchi says that the company has prioritized improved data protection across its entire infrastructure, coupled with better detection and response programs to handle new problems more gracefully if and when they emerge.
All of these improvements are happening as Farshchi staffs up the security team—broadening its expertise—and works on governance and reporting so that Equifax can offer proof of compliance and general progress.
"It's easy from the outside [to judge], and trust me, I had a visceral reaction to the Equifax breach myself, because I was a victim of it," Farshchi says. "But when you get the view from the inside you see how many good things there are that you can use as the basis for future success."
In addition to new hiring and reorganization within the security department, Farshchi says that the company is also working on a major cultural shift to incorporate both preventative measures and response training across every department. Equifax is also already working to turn these improvements outward to help others—and perhaps tout its transformation in the process.
"Our goal is to create a world-class security program at Equifax and to share what we’ve learned from our own experiences in order to ultimately help our industry better protect and defend against cyberattacks," Equifax CEO Mark Begor wrote in comments to WIRED. "Data security is a long-term battle that will require continued innovation and attention. It will always be a top priority for our company."
An important nuance of the Equifax data breach is that unlike other large-scale corporate leaks, like those suffered by Home Depot and Target, the data Equifax exposed wasn't from its direct customers. The three major credit reporting agencies—Equifax, Experian, and TransUnion—use consumer data as a commodity, selling it to anyone seeking access to credit reports. Which means that the people whose information Equifax exposed didn't have a choice about the company holding their information. In fact, consumer outcry in the wake of the breach made clear that many people in the US have never heard of credit bureaus, and don't know what they do or why they would possess so much personal data in the first place.
If nothing else, the blowback from the breach has made Equifax officials more conscientious about that distinction, and its ramifications. "We definitely were talking about, why do you need credit? What is credit," says Nancy Bistritz-Balkan, Equifax's vice president of consumer education and advocacy. "But the preamble to that conversation in terms of what exactly do the bureaus do, why is it important? I think that’s definitely part of a conversation that we’ll look at much more closely moving forward. I can tell you that from my own perspective, I got a lot of emails asking that question: 'Why does Equifax have my data?'"
Equifax has expanded its consumer outreach and education programs since the breach. But even if customers are aware of credit bureaus, they're still unable to opt out of them. "You are Equifax’s commodity, and the fact is you have minimal control over what data they hold. That’s what their business model is," says Ira Rheingold, the executive director of the National Association of Consumer Advocates. "That’s what consumers are most concerned about. If consumers had a choice they would walk away and say, 'I don’t want you to have my data.'"
But Bistritz-Balkan plays down consumer concerns of being trapped in the credit bureau system. "I don’t know that I have heard that specific pushback," she says. "What I’ve heard from consumers is, 'hey, we need to understand this a little bit more.'"
Equifax says that "enhancing the experience of consumers who engage with us" is one of the four main priorities that have driven the company's transformation. Julia Houston, Equifax's chief transformation officer, a role created in October to coordinate breach remediation efforts, explains that the others include rebuilding trust with the bureau's actual customers, becoming an industry leader in data security, and investing in network security improvements.
Houston points to what she calls "fundamental shifts" in Equifax's business practices catalyzed by the breach. "Things like starting to change the way that we approach security training and education for professionals across the entire organization. And thinking about the way that we manage risk and teach our employees to manage risk," Houston says. "It’s really just changing the way security is aligned within our organization."
'The first step has been to stop the bleeding.'
Equifax says it has made extensive progress, and details a robust approach to overhauling its security. But for those understandably not willing to take Equifax's word for it, progress on external accountability has come as well. The company signed a consent order at the end of June with regulators from eight states agreeing to certain specific improvements, like demonstrating that is has improved oversight mechanisms, security audits, and threat monitoring. Equifax is required to submit monthly progress reports to the regulators beginning this month, and a third-party firm will test to confirm that the improvements are in place by the end of the year.
"The way Equifax handled its breach was insulting, and in terms of the data that was stolen the cow has already left the barn," says Jason Glassberg, cofounder of the corporate security and penetration testing firm Casaba Security. "But if Equifax really has made that level of commitment to improving its cybersecurity then I applaud them. The question is just what they are spending this small fortune on in practice, and what the real-world security impact will actually be."
The FTC also opened an investigation into the Equifax breach in September. In May, FTC chairman Joe Simons told Congress that the agency is still "heavily focused" on the breach probe. But that same month, the FTC appointed as head of its Bureau of Consumer Protection a lawyer, Andrew Smith, who has represented numerous large corporations—including Equifax itself.
Equifax says that the transformation process is a long-term commitment to doing things differently, and letting the results speak for themselves. "It’s important for people to understand the seriousness with which we’re taking our remediation efforts, the investments that we’re making in data security, and the seriousness with which we see our obligation to the data that’s been entrusted with us," Houston says. "We have to continue to deliver, and then when we deliver on what we promise, that’s when we will rebuild the trust."
For the 147 million Americans impacted by the breach, all of Equifax's improvements and reforms are likely small consolation. But at least the company has made strides toward minimizing the chances that it happens again—and being better prepared to react if it does. "No matter how much you invest, how great your people are, any organization nowadays can be breached," says Farshchi. And no one knows it better than Equifax.