Data breaches are now so common – and so large – that we measure them in percentage of worldwide internet users. Although Equifax doesn’t even make it into the top 5 at 4.08% of the approximately 3.5 billion internet users, news of it rocked citizens of the US when announced. The Equifax breach has unique characteristics that will change consumer behaviors in the US.[i] One critical element of the Equifax breach is that it did not expose credit cards numbers – which is a hassle but can be replaced – but exposed hard and even impossible to replace and change information such as names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers. The amount and type of data loss experienced in this breach will change how consumers look to purchase goods. From Forrester’s ConsumerVoices Market Research Online Community, consumers said they would stop:

  • Opening new lines of credit.
  • Shopping online as frequently.
  • Using non-government credit monitoring programs.
  • Favoring cards to cash.
  • Using stored online payments.
  • Giving personal information in exchange for coupons or discounts.

With consumer confidence and trust waning, Social Security numbers as a form of identification called into question, and the security of data being stored by data aggregators questioned, expect shockwaves throughout the data economy.

The Equifax breach also highlighted the ever-increasing enterprise dependence on open source software and the associated risks that come along with it. Combined with the lack of multilayered application protection for revenue-generating applications, security leaders find themselves unready to defend their firm’s digital transformation. A startlingly few number of developers work on the open source components most customer-facing applications rely on. For example, a single developer is responsible for 85.19% of all code changes for Apache Tomcat, and just one developer is responsible for 80.08% of all code changes in Apache Struts (see below).  This is why security fixes are delivered only on the latest version of an open source component. Should we stop using open source?  No. But we need to strengthen governance of open source components, supercharge our ability to quickly remediate vulnerabilities, all while avoiding making data security the sole problem of software developers. The intersection of data, code, and revenue in our data economy demands a set of layered protections.


For more information on how the Equifax breach will haunt us in years to come, and practical lessons to prevent a similar breach, see the “Equifax Exposed Two Massive Systemic Risks” Forrester report.   For more information about Forrester’s ConsumerVoices Market Research Online Community, please visit

[i] For more information about the other breaches that beat out Equifax in terms of percentage of worldwide internet users, see “Top Cybersecurity Threats In 2017.”