A year ago this week, the credit bureau Equifax saw signs of a problem on its network. A really big problem. Hackers had entered the company’s systems[1], stealing the personal and financial data of more than 147 million people[2] in the United States, including Social Security numbers, dates of birth, home addresses, and some driver's license numbers and credit card numbers. Though other breaches have exposed more total records[3], the Equifax debacle is generally considered the worst corporate data breach ever in the US, because of both the scale and the nature of the information it exposed.
Equifax was also woefully underprepared[4] to handle the fallout, botching both the public disclosure and its effort to make resources available to impacted people. In the months since, the credit bureau has remained fairly quiet amidst class action suits, congressional scrutiny, a Federal Trade Commission probe, and a wave of new state regulations designed to ensure that Equifax substantially improves its security defenses.
As part of this, process the company hired a new chief information security officer, Jamil Farshchi, in February. In a series of interviews, he and other top executives told WIRED that the company has committed to an expansive multiyear effort to transform its corporate and data security approach. The question at this point, though, is whether it could possibly be enough.
Mending Fences
Prior to Equifax, Farshchi had overseen information security at high-stakes companies like Time Warner and Visa, as well as government groups like Los Alamos National Laboratory. He's also no stranger to emergency response; Home Depot brought him in to help clean up the company's massive 2014 data breach, which exposed 56 million credit and debit card numbers. But working at Equifax now, Farshchi acknowledges