A year ago this week, the credit bureau Equifax saw signs of a problem on its network. A really big problem. Hackers had entered the company’s systems, stealing the personal and financial data of more than 147 million people in the United States, including Social Security numbers, dates of birth, home addresses, and some driver's license numbers and credit card numbers. Though other breaches have exposed more total records, the Equifax debacle is generally considered the worst corporate data breach ever in the US, because of both the scale and the nature of the information it exposed.

Equifax was also woefully underprepared to handle the fallout, botching both the public disclosure and its effort to make resources available to impacted people. In the months since, the credit bureau has remained fairly quiet amidst class action suits, congressional scrutiny, a Federal Trade Commission probe, and a wave of new state regulations designed to ensure that Equifax substantially improves its security defenses.

As part of this, process the company hired a new chief information security officer, Jamil Farshchi, in February. In a series of interviews, he and other top executives told WIRED that the company has committed to an expansive multiyear effort to transform its corporate and data security approach. The question at this point, though, is whether it could possibly be enough.

Mending Fences

Prior to Equifax, Farshchi had overseen information security at high-stakes companies like Time Warner and Visa, as well as government groups like Los Alamos National Laboratory. He's also no stranger to emergency response; Home Depot brought him in to help clean up the company's massive 2014 data breach, which exposed 56 million credit and debit card numbers. But working at Equifax now, Farshchi acknowledges the unprecedented scale of the crisis. "We had one of the most impactful breaches of all time," he says.

In the year since the breach, the company has invested $200 million on data security infrastructure. And Farshchi says Equifax has given him the resources he needs to build a stellar security program.

"One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe," Farshchi says. "I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin' long to push some of this stuff. The barriers you face at any company not post-breach is you're always fighting for budget, you're always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you're in a post-breach environment, everyone already knows that it's critically important."

At a Congressional hearing in October, Equifax's former CEO Richard Smith hinted at the reckless approach to security the company took for years. Smith said that he had only met with company security and IT executives quarterly to discuss Equifax's status—four meetings a year to defend the crown jewels of US consumer data. He indicated that the company's software patching operation was inadequate and flawed. And he even admitted that Equifax's data storage approach didn't involve consistent, robust encryption.

That lax attitude directly resulted in the vulnerability hackers exploited to penetrate Equifax's networks and steal consumer data. The bug was a known web framework weakness; a patch had been available for about two months before hackers entered Equifax's network. The company had failed to apply it, and once hackers were on the network, Equifax's poor data hygiene, permissive access controls, and open network architecture allowed them to grab a priceless trove.

'We had one of the most impactful breaches of all time.' Equifax CISO Jamil Farshchi

"The first step has been to stop the bleeding," Farshchi says of his work since starting with the company. "We have to harden the perimeter and make sure that we do not have any more weaknesses up front." At the beginning of a breach remediation process, prioritization is the toughest challenge, Farshchi says, since so many improvements and initiatives merit attention. So he emphasizes fundamentals, and completing baseline essential projects first.