On Tuesday, September 7, 2017, Equifax announced up to 143 million consumers may have been subject to a data breach event from mid-May to July 2017. The affected information appears to consist of three categories of information: (i) personal identifying information, including names, social security numbers, birth dates, addresses and driver’s licenses; (ii) personal financial information, including credit card and banking information; and (iii) customer support tickets. Equifax has also disclosed that the data breach event appears to have been the result of an exploit suffered by an unspecified application. The first two buckets of compromised data suggest that the exploit could have led to the unauthorized access of Equifax systems or the unauthorized transmission of data being inputted by Equifax users. The third bucket of compromised data suggests that the exploit caused the unauthorized access of Equifax systems. At this time, Equifax has not released enough information to definitively determine if the application exploit caused internal or outward facing issues.
The Equifax data breach is particularly interesting due to the fact that the consumer data that was compromised was, in most instances, not actively supplied to Equifax by the affected consumer. Rather, as a credit reporting company, Equifax’s pool of consumer data was supplied by third party businesses, such as retailers, financial institutions and travel companies. This means that the Equifax data breach is distinguishable for most other major data breach incidents, as some impacted consumers may not even know that Equifax was in possession of their data.
In addition to the consumer issues, the Equifax data breach calls to question whether statutory protections need to be imposed in the arena of centralized mass data. As this matter illustrates, compartmentalization and segmentation of sensitive data must be adopted by even the most secure of entities, since no amount of risk management can be 100% effective against technology exploitation.
Lastly, the Equifax data breach could also trigger industry wide changes in how cyber insurance providers insure mass data markets. This is largely due to the fact that the cyber insurance industry does not currently provide clear guidance on how secondary and tertiary insurance policies cover catastrophic risks caused by third party recipients of personal records.