Blog post

Equifax Data Breach: It’s the End of Cybersecurity as We Know It

By John A. Wheeler | September 14, 2017 | 10 Comments

Technology and Emerging TrendsTech and Service ProvidersSecurity and Risk Management LeadersSecurityRisk ManagementLegal and ComplianceIRMintegrated risk managementCyberinsuranceCyber securityCyber riskBusiness Continuity ManagementAudit and RiskEnterprise Risk Management Program ManagementRisk Assessment Process and MethodologiesRisk CoverageRisk Response Strategies

As most everyone knows by now, one of the single largest data breaches in history was disclosed last week by the credit reporting giant, Equifax. While most people are rightly focused on the immediate impacts of this breach – personal fraud, credit and identity protections, waivers of right to sue, class-action lawsuits, etc. – few have considered the longer term implications of this event. So, here are three predictions of how the cybersecurity world will change in light of this monumental event.

1. Bankruptcy looms ahead for Equifax

In the last 4 business days since the company disclosed the data breach, Equifax has suffered a $5.3 billion loss in market capitalization which represents almost a third of the company’s total value. When considering an estimate of the potential costs associated with the data breach (based on the 2017 IBM/Ponemon Institute Cost of Data Breach Study), Equifax faces a potential loss of $20.2 billion which currently exceeds their total market value by $8.3 billion. Also, the company currently faces more than 23 class-action lawsuits with at least one seeking more than $70 billion in damages. The death spiral will soon take on greater momentum when executives are required to testify before Congress and criminally investigated for potential insider trading related to the delayed disclosure of the data breach. Equifax will ultimately be acquired out of bankruptcy by one of the remaining two credit reporting companies – TransUnion or Experian.

2. Social Security Number will be replaced by a more secure National ID

The use of Social Security Numbers (SSN) as the primary authentication device for US citizens will be eliminated. What will replace the SSN is anyone’s guess, but it can no longer serve in this capacity since at least half of the nation’s primary method of authentication has been compromised. Perhaps the US will follow Estonia’s lead in creating a true electronic national ID?

3. A federal cybersecurity act will be passed quickly

Attempts at passing federal legislation over cybersecurity have been futile in the past, but all of that will change. Similar to what happened in the aftermath of the Enron and Worldcom accounting frauds, broad reaching legislation will be crafted and passed much like the Sarbanes Oxley Act of 2002. This will occur because the impact of the Equifax breach is being felt by every single American (as well as some Canadians and Brits). Similar to the Sarbanes-Oxley requirement on the certification of internal control over financial reporting, CEOs and other executives will be required to disclose any material data breach upon discovery and personally certify to the effectiveness of their internal control over data security.

These predicted events represent major opportunities for real improvements in the management of cyber-risk and significant growth in the demand for integrated risk management (IRM) technology solutions and services. To learn more about how IRM can help your company, read more at the Gartner Blog Network or subscribe to Gartner to read more of my research on IRM technology solutions.


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Robin Horan says:

    As UK resident, how can I check if Equifax had any of my details, and if so what has been disclosed to the hackers?

  • Peter Cooper says:

    Hi John, good insights, but I have some comments. For the class actions, look at what happened with Target. A measly $10m for consumers, & only if they could prove harm. I suspect that there will be more noise than a real outcome. For the use of SSN as an identifier, the credit card schemes have had plenty of opportunity to improve the way retailers handle cardholder data (& chip + PIN is a good step) but the future of e-tail is card not present & this is where fraud is going. So I don’t see that there is a real incentive for the people who “own” SSN to actually do something differently. As to long term financial damage to the company, let’s wait & see. The majority of companies who’ve had breaches have gone on to be very healthy. Good companies & bad companies have breaches, it’s how they respond that differentiates them. When it comes to cyber security legislation, Nevada & Washington have enacted legislation building on the use of PCI-DSS. The challenge with legislation is knowing what to base it on. I suspect people will debate that for a long time to come. Cheers

    • Thanks Peter for your comments. On the target breach, since it was credit card data that can be changed easily, courts did not view it as a case of real long-term harm. With equifax, SSN will impact everyone for life with no ability to change. So, proof of harm is much easier and frankly unlimited. Hence, the reason for replacing SSN. On legislation, I’m not saying it will necessarily be good or effective. However, politicians will have to do something to placate the voters who are impacted across the board – democrat, republican, libertarian, green, independent, etc. Identity theft is a multi-partisan concern.

  • Ant Allan says:

    Hey, John.

    I partly disagree with your second point. There’s no need for SSN to be replaced by something “more secure” – as an identification number, a label, a unique name, it’s still just fine.

    The problem, as you note, is that an SSN should not be used for authentication – something Gartner, and others, have been saying for years!

    Knowing my SSN (NI number in my case, since i’m UK based!) no more corroborates that I am me than knowing my name does. (Or knowing my mother’s maiden name – it’s Stockmann, btw.)

    The value of SSN lies in uniquely identifying me and disambiguating me from all the other Ant Allans out there.

    The acceptance that SSN is used for authentication has created the need to treat it like a “shared secret”, which has stopped folks (incl. clients I’ve spoken to) from using it freely where such a unique identifier would be far more useful and robust than home-grown schemes.

    Talking about the Estonian “electronic national ID” also includes an ambiguity which leads to bad practices – the conflation of an “identifier” with an “identity” (both of which are abbreviated “ID”). A new electronic national /identity/ could still use SSN as a person’s /identifier/.

    The real value comes from whatever methods are then used to corroborate that the identity (identified by the SSN) belongs to the person make that claim.

    And that is the hard part. Even some kind of “mobile ID” (“identity”?) using public-key credentials is not going to be the be all and end all.


  • Dan Megan says:

    I agree with all your points John though I might add, I hope any federal cybersecurity act isn’t so vague that is rendered ineffective at making real impact. For example, to say one must take “adequate measures to protect sensitive data” – is so subjective firms are left not knowing what meets that standard. The technology exists to protect data across the enterprise far better than just a few years ago – but enterprises need to view security just as critical as they do say Up-time of their systems.

  • Qqratu88.Com says:

    I blog frequently and I truly appreciate your content. The
    article has truly peaked my interest. I am going to book
    mark your blog and keep checking for new information about once a
    week. I subscribed to your Feed too.

  • Therefore, finding people search engine results quickly will ‘never’
    be free. I’m going to walk you through these 7 basic steps about simple tweaks you can create for
    a product to restore more significant and simple follow-up strategies.
    Then when you watch races, continue eye to them and what they are doing each race.

  • VR Festival says:

    Attractive section of content. I just stumbled upon your website and in accession capital to assert
    that I get in fact enjoyed account your blog posts. Anyway I’ll be subscribing to your augment and even I achievement you access consistently