Equifax reported the cost days after its former CEO testified before the Senate saying he doesn’t know who attacked them.
Equifax reported costs of $87.5 million due to its “cybersecurity incident.” Despite massive fallout from one of the largest data breaches in history, Equifax still reported a 4% increase in revenue for the third quarter of 2017, compared to Q3 2016.
The company did report profit losses of 27%, however, which may be due to the money it has had to dedicate to what it described as production costs, professional fees, and consumer support.
Dedicating $87.5 million to addressing the costs of such a massive breach may not have produced any tangible security results for Equifax, or at the very least helped it figure out who attacked them.
Mr. Smith goes to Washington
Former Equifax CEO Richard Smith testified before the Senate on Wednesday, revealing that the company still had no idea who was behind the attack. He did, however, note that they knew precisely why the attack happened: An unpatched Apache vulnerability.
The breach in question was reported and assigned a CVE number in March 2017. It was even given a rating of 10—the most critical score on the scale. Despite that, the Apache server at Equifax running the vulnerable software remained unpatched as of May, leading to the theft of over 145 million customer profiles.
This isn’t a unique incident—throw a dart at a list of major security incidents in the past few years and you’re likely to hit one that was caused by unpatched vulnerabilities. From WannaCry to all the vulnerabilities leaked by the Shadowbrokers (all of which have been patched by Microsoft), hackers are largely targeting systems with known, exploitable vulnerabilities.
Don’t get stuck with the bill
The average data breach is nowhere as costly as Equifax’s, but at $3.62 million it could still be enough to cripple a new or growing business. Not everyone can bounce back as easily as a behemoth like Equifax—even big companies like Yahoo have been crippled by the attacks they’ve faced.
There’s a key lesson for business leaders to take away from the Equifax breach and the muddled, unclear responses the Senate got out of Smith and former Yahoo CEO Marissa Mayer: Don’t get caught with your cybersecurity pants down.
Had Equifax simply taken the time to patch a vulnerability, Mayer would have been alone at that Senate hearing.
It didn’t, though, and that should be a wakeup call to everyone.
The top three takeaways for readers:
- Equifax’s third quarter earnings revealed that the company lost $87.5 million dealing with its recent data breach, which may have led to a profit loss of 27% over Q3 2016.
- Despite huge recovery spending, former Equifax CEO Richard Smith said the company still had no idea where the attack came from. They do know what happened, though: It failed to apply an Apache patch that could have stopped it.
- The average data breach costs far less than Equifax’s, but the average breach still has a similar theme: Unpatched vulnerabilities. Keep your systems up to date to avoid a similar fate.