The Equifax data breach – why their failure is now my problem
Like many of us who heard about the Equifax data breach last week, I went to their website over the weekend to check if my data was one of 143 million accounts that may have been compromised. Sure enough, it was. Fabulous. I was promptly directed to another Equifax webpage and notified I was eligible for free enrollment in their “Trusted ID Premier” credit monitoring service. Wow! How reassuring. And so, I began researching about credit freezes (not convenient to do), monitoring services, dark web scans, identity theft protection services, etc. Not surprisingly, a lot of these services will cost you money. The credit bureaus contain the keys to my financial identity kingdom and Equifax allowed them to be stolen. Now it is up to me (and every person affected) to be part of the remediation effort. Should I be more understanding? Not really. Why? Since I work for a company that provides IT security consulting services, I accept the fact that keeping bad actors out of corporate networks is virtually impossible. What I do know, however, is you can detect they got in and prevent them from making off with the goods. It’s all about preventing data exfiltration. Like when a thief breaks into your house. Sure, it is unnerving to think someone was in your living space without your knowledge, but it’s worse when they steal your brand new 4K HD flat screen TV. Here is why I am a little ticked off.
Equifax waited about 40 days to notify the public about the breach. To me, that is a stunningly long period of time to let me know that my personal data is likely floating out on the dark web for sale. During that 40-day window there were undoubtedly endless meetings with attorneys and PR staff on how to best contain the damage to the Equifax business. So far, they have fumbled through the communication phase. Clearly more concerned about lawsuits against them than my personal data being loose in the wild. A few executive heads will roll I am sure. On Monday, the company lost something like $3 billion in market value, so that will get investors and the board’s attention. The feds are circling. You can picture big time law firm attorneys giddy with greedy joy at the opportunity to litigate on behalf of the jilted consumer. Oh yeah, Equifax is going to a real fun place to work over the next few months, but why did this happen at all? Are the hackers’ skills, which are undoubtedly very good, just too much for conventional security practices? Perhaps. Or was Equifax’s security strategy simply not up to the task? If history holds true, once the details of how the hack was carried out there will be obvious and completely preventable mistakes that were made. Probably by humans. Security staff ignoring alerts or not seeing subtle trends in data movement, for example. Maybe some unwitting employee falling for a phishing attack. I doubt it was a technology problem. More likely, a technology deployment problem. You can bet the CIO’s and CISO’s seats at Experian and TransUnion just got a lot hotter for sure.
The cynic in me envisions a boardroom discussion at Equifax going on right now; where executives are consoling themselves that the brand and financial impact will be temporary. After all, did people stop shopping at Target? Maybe for a little while, but most came back. Breaches are so common now it is only a matter of time before we just accept this as the new normal. Ah yes, apathy, the ultimate public cloak for incompetence. Having said this, we are never going back to stuffing mattresses with money or doing business only in cash. I love shopping on Amazon. I do nearly all my banking online. It’s simply way too convenient. So, in some awful, crazy way that thinking is correct. What it doesn’t and shouldn’t do is absolve them from their responsibility to protect my personal information. Here’s an idea: Equifax and the other credit bureaus should invoke a perpetual freeze on everyone’s credit information only to be lifted upon the individual’s approval on an as-needed basis. It should be up to me to choose who I release my credit information. A virtual credit file drawbridge, if you will. If my credit card provider can text or call me with suspicious transactions to authorize, why can’t the credit bureaus do the same? Getting a car loan? Send me a text to authorize the release of my credit report. Doesn’t it just seem that simple? If the credit bureaus need us to help clean up their data security mess, then the least they could do is make it easy for me.