The U.S. Justice Department recently indicted four Chinese nationals in connection with the 2017 Equifax hack that resulted in the theft of more than 145 million people’s personal information.
Prior Lake’s Mary Frantz is the cybersecurity expert witness in the multi-year case, which is trying to establish how one of the largest data breaches in history happened at one of America’s largest and oldest consumer credit bureaus.
On Frantz’s recommendation, the case reached a settlement in which Equifax will pay at least $1 billion in security updates and improvements over five years — on top of a previous agreement to $380.5 million fund for consumer damages.
“This was the first time that I ever asked for a billion-dollar spend and got it,” Frantz said. “They didn’t even argue. The judge, Equifax, the attorneys, everybody took my entire declaration verbatim and didn’t even make a change to it. That’s a huge win for consumers.”
Frantz, a Prior Lake-Savage Area School Board member, is founder and managing partner of Enterprise Knowledge Partners LLC, a national information technology, security and forensics firm based in Edina.
In early 2018, attorneys for the plaintiffs in the consumer case against Equifax hired EKP and Frantz as an expert.
For about 16 months she traveled back and forth to Equifax’s headquarters in Atlanta, reconstructing the hack and examining the company’s security systems and protocols.
She submitted her findings to the U.S. District Court for Northern District Court of Georgia in July.
“It is clear that Equifax’s pre-breach cuber security controls fell short of industry standards,” Frantz wrote. “This deficiency was amplified by Equifax’s risk profile and the massive amounts of extremely sensitive consumer data that Equifax collected, processed, and stored.”
She found inconsistent security measures and protocols and known security weaknesses that went unpatched.
For years Equifax used technology from Apache Struts, which in 2017 announced discovering vulnerabilities in its system. According to Frantz’s investigation, “two days later, unidentified individuals were scanning Equifax’s systems for the vulnerability.” Equifax didn’t attempt to search for the issue in its systems until over a week later.
“If proper asset management and data classification and handling had been in place at the time ... there is a strong likelihood the breach would have been stopped or detected before the data was exfiltrated,” Frantz wrote.
Hackers over several months used these gaps to steal names, birth dates, Social Security and driver’s license numbers and other information, including credit card information for around 200,000 Americans.
“We at Equifax clearly understood that the collection of American consumer information and data carries with it enormous responsibility to protect that data,” former Equifax CEO Richard Smith testified to Congress in October 2017.
“We did not live up to that responsibility, and I am here today to apologize to the American people myself and on behalf of the Board, the management team, and the company’s employees.”
Frantz said her role is notable for another reason.
“I’m the only woman who’s ever done this. I’m the first female at this level, and that’s what I’m excited about because I want to encourage more women to go into this field,” Frantz said.
The Equifax case is an addition to Frantz’s resume of forensic and cybersecurity qualifications that includes almost 30 years in IT and work in around 20 data breach investigations.
She said she views it as a step in the right direction for a field that is overwhelmingly dominated by white men.
“I still walk into rooms and people go, ‘Who is she? Can she get my coffee?” Frantz said.
If consumers want safer, more robust security systems, they need to encourage more kinds of people in the field, she added.
“For cybersecurity in particular, your best bet is to have a diversity,” Frantz said. “We really need people who think outside of the box because that’s what the hackers are doing, is they’re understanding who we are, what we do and what we’re more likely to fall for or what we’re not going to be concerned about.”