What the Equifax Breach Means for the Future of Securing Sensitive Data

There’s really no nice way to say it, what happened at Equifax last week was the biggest failure to safeguard public data to date. Yahoo had more records compromised, but those weren’t nearly as sensitive.  Furthermore, Equifax’s response has been characterized by Brian Krebs, a leading security expert, as a “dumpster fire.” Krebs goes on to write: “I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now.” This is pretty much as bad as a data breach can get in the financial services industry. Equifax literally stores every piece of a person’s online identity, including:

• Social Security Number
• Driver’s License Number
• Date of Birth, Address and Phone Number
• Bank Account and Credit Cards (with balances)
• Loan Numbers, Creditors, and Debt Amounts

Except for maybe your health records, what could be more important to protect? Now that info is out there and the real question becomes what will the response be? In my opinion, we’ll see one of two outcomes emerge.

Lack of Accountability Influences Companies to Stop Caring Altogether

I don’t think this outcome will be the case, but it’s certainly worth exploring. The Equifax response can be described as woeful at best, and if they aren’t held adequately accountable this will become the standard for other financial institutions entrusted with sensitive public data.

Equifax stock dropped 13% after the breach was announced. That may sound bad initially, but if that’s the only repercussion, is it enough to really affect change? It really seems to be more of a nuisance to Equifax than a genuine concern. Let’s start with the six weeks that passed between breach identification and notification to the public. SIX WEEKS! Why even bother at that point? You have to assume that data is already published and sold on the dark web. It also doesn’t look very good that three top executives sold off huge chunks of company stock right after the breach was identified but before it was made public. They claim they didn’t know, but it’s extremely suspicious. Then, to make matters worse, their offer to compensate those affected is one year of free access to their credit protection services…credit protection services from the same company that just lost data! It’s not only an insult, but can be used as a database to solicit more revenue from this service after the free first year expires. This hardly looks like stiff, culture changing punishment.

What’s a consumer to do? When Target and Home Depot were breached, customers could use their feet and go to a competitor to punish them. When a ransomware attack takes a company down, that company is directly impacted by the loss of system availability. In this case, there’s little if anything that can be done. Consumers can’t have their personal information removed from Equifax’s database and, unless the government imposes fines or puts them out of business, what’s the real impact to Equifax? If unchallenged, this will become the new norm. Why would other financial institutions protect their data if they know they can just pay for credit protection and be done with it? That could be a lot cheaper and easier than investing in a real security program. It’s a terrible precedent and for the sake of everyone I hope it’s not the end result.

Overregulation and Strict Compliance Force Painful, Expensive Accountability

This one’s not much better, but it’s the more likely outcome if you ask me. Entities like the Consumer Financial Protection Board, NY Department of Financial Services, and Federal Trade Commission could be on the march to make an example of Equifax and rightfully so. I’m usually not an advocate for more oversight, but someone’s got to be held accountable here and there aren’t a lot of options at the consumer’s disposal other than filing a class action law suit. One doesn’t have to look much further than the housing market to see how this ends – painfully intrusive compliance audits that force companies to put controls in place or risk losing their ability to stay in business.

Politicians have already started to pounce and that usually doesn’t bode well for companies on the receiving end. Below are just a couple of examples:

• Massachusetts Senator Elizabeth Warren – “It’s outrageous that @Equifax – a company whose one job is to collect consumer information – failed to safeguard data for 143M Americans.”
• New York Attorney General Eric Schneiderman – “My office intends to get to the bottom of how and why this massive hack occurred.”
• Colorado Representative Diana DeGette – “As a country we need to craft new means to keep thieves and hackers from obtaining and using personal information. Simply compensating consumers whose data has been hacked with a year of monitoring is not going to be enough”.
• Virginia Senator Mark Warner – “The #EquifaxBreach raises serious questions about #Cybersecurity that Congress must address head on and soon”.

There’s already some cyber security regulation in place, but I think this breach is going to be the straw that breaks the camel’s back in terms of punishment and accountability. You can’t force executives to care about protecting this information, but you can hit them where it hurts – their bank accounts. This is where I think we finally land, and if it doesn’t happen at the federal level, anticipate it happening at the state level like it already has in New York. That’s right, up to 50 different security checklists and larger corporations can anticipate each state to act on it with 50 different onsite inspections. If security seems expensive now, just wait until it’s necessary to hire a full legal team just to interpret the different laws. Unfortunately, that’s almost a certainty now.

I wouldn’t be surprised if some heavy fines are levied against Equifax that force this conversation in each and every board room. Will this actually make us more secure? Maybe, maybe not, but it’s probably where the industry is headed. Prepare now or be crippled by lengthy, expensive, time-consuming checklists along with the fines that accompany non-compliance later.

Continue the cyber security conversation with Tom on 9/28 at Arraya’s forum: Identifying, Monitoring, and Analyzing Security Threats. This free, full morning event will feature multiple presentations designed to help IT professionals thrive in today’s increasingly harsh security climate.