Credit reporting company Equifax held third-party ISO 27001 certification for Information Security Management Systems (IMSM) at the time of the 2017 security breach which led to the theft of personal information for over 147 million Americans. The scandal caused the company’s CEO to resign, and led to the arrest of a senior Equifax executive for insider trading after it was discovered he was selling his shares in the company before the public release of the hack story. According to a report on Cnet, the thieves “spent 76 days within Equifax’s network before they were detected.”
ISO 27001 certification is supposed to provide third-party confirmation of a company’s ability to properly safeguard electronic data and the systems used to house it. The marketing of ISO 27001 certification by registrars such as BSI emphasize these claims:
Keep your information confidential with a certified ISO/IEC 27001 system and show that you have information security risks under control. Compliance with world-class standards can help you win customer trust and gain new business opportunities.
Ironically, the US and UK websites for ISO 27001 information from the certification body Bureau Veritas were broken at the time of this report.
Nevertheless, it now comes to light that Equifax held third-party certification to ISO 27001 as early as 2015, years prior to the attack. Victimized consumers then suffered additional problems with Equifax systems, including their web page, when trying to report the impact of the hack on their credit profiles, leading to widespread criticism of the Equifax data security protocols. Those same protocols would have been in place during multiple ISO 27001 certification audits, and yet the company achieved ISO 27001 regardless.
The Dutch certification body EY CertifyPoint, accredited by the accreditation body RvA, lists Equifax’s Alpharetta GA headquarters as having an ISO 27001 certificate issued by it, under certificate number 2011-007. EY CertifyPoint is related to the accounting firm Ernst & Young. RvA is a member of the International Accreditation Forum (IAF). The prefix for the certificate number indicates the certificate was awarded in 2011.
A 2017 Annual Report published by Equifax addressed the controversy by admitting the company had its ISO 27001 certificates suspended after the hack was publicized. All of the Equifax websites have apparently since been stripped of any mention of ISO 27001, except for that of Equifax India.
Equifax is being sued by consumers in US Federal court over the hack. The official complaint names Equifax executive Shea Geisler as a defendant, citing his management role in overseeing the company’s ISO 27001 system. It is thus likely that the ISO 27001 certification held by US Equifax locations will be part of the subsequent trial.
While Equifax avoided fines in the US by cutting deals with state regulators, the UK fined the company £500,000 for the impact the breach had on UK consumers. Consumers have long complained that credit reporting agencies have unprecedented sway over political parties in the US.
In June, the UK-based ISO 27001 certification body Alcumus ISOQAR admitted it had been hacked after it accidentally sent a phishing email blast to its customers, apparently the result of ISOQAR employees clicking on links in unverified emails themselves. It’s not clear how many Alcumus customers were impacted.
The companies responsible for manufacturing defective Takata airbags, causing the largest automotive scandal in the industry’s history, also held ISO certifications. Similar to the Equifax scandal, once the story unfolded, all evidence of their certifications was removed from the web, except for remnant press releases showing the companies had been certified by Entela. That certification body was subsequently sold to Intertek, where its clients would have transferred to, but Intertek has refused to answer questions regarding the Takata scandal.
At an increasing rate, companies involved in high-profile product recalls, consumer injuries or deaths, or other scandals are found holding various ISO certificates at the time of their malpractice. In almost all cases, these certificates are issued by certification bodies accredited by ANAB, UKAS or another signatory to the International Accreditation Forum (IAF) requirements. Nevertheless, IAF has refused to launch an investigation into how its systems routinely fail to live up to the marketing of the certification and accreditation bodies which are managed by it.
[UPDATE 11 October 2018: This report was updated to list EY Certify as Equifax’s certification body, which was discovered after the initial report was published.]