I am not happy about the massive Sep 2017 Equifax breach (or any other breach). All of us have a right to be angry with this leadership failure.
But I worry, emotions like anger at this breach might be distracting us from bigger issues. Like do we want companies that aggregate data on U.S. citizens being empowered to sell that data to anyone anywhere?
More background: Equifax is now reporting that hackers have obtained not just personal information you would expect in credit reports, but a surprising array of other data. This includes images of passports and driver's licenses and important personal papers. These other items were reportedly provided to Equifax by consumers who were told this would help them in disputes with the company.
I am not confident at all that we have the full story here. Stand by for more updates from forensics on Equifax over the coming months.
But for now, here is the latest, according to an Equifax SEC statement:
As a result of its analysis of the standardized data elements, including using data not stolen in the cybersecurity incident, the Company was able to confirm the approximate number of those impacted U.S. consumers for each of the following data elements stolen in the cybersecurity incident: name (146.6 million), date of birth (146.6 million), Social Security number (145.5 million), address information (99 million), gender (27.3 million), phone number (20.3 million), driver’s license number (17.6 million), email address (1.8 million), payment card number and expiration date (209,000), TaxID (97,500) and driver’s license state (27,000).
Yes, breaches are bad, and yes leadership can prevent them.
But how can anyone think this breach caused them more personal damage than what Equifax is already causing by selling this information?
Reminder: Equifax and other credit reporting companies collect this information because it is their business model. They sell our data for money to businesses and countries.
In the old days, companies like Equifax made money by selling insights to firms that wanted to lend people money. The information needed by customers were those associated with an ability to repay a loan. That was helpful to banks and consumers alike so this service became a very important part of the ecosystem. But for Equifax and others to make the really big bucks they needed bigger markets. Now they seemingly sell data to anyone who can pay. This data can be used by companies that want to know information so they can market to you, or so they can do background checks. Governments may want the data for background checks, security clearance investigations, help suppressing dissidents, help recruiting espionage agents/spies or other activities.
I have heard from people in the industry that there are limits on how much data can be sold, but have not verified those limits and believe the default setting of firms in that line of work is to sell data at scale.
All of the above makes me think this breach was probably not a state sponsored breach. Why would China or Russia hack this data if they could just buy it? Who knows, maybe one of these companies decided to steal it because it is cheaper to do that. But Occam's razor makes me think there aeenmore reasonable explanations. It could be that a well resourced group of hackers who normally work in support of national objectives took this hack on under their own initiative either for criminal reasons or because they did not realize their country was already buying the data.
It is absolutely right for us to think through the legal and regulatory environment we want to govern situations like this. Currently the only real oversight of credit reporting companies like Equifax, Tansunion, Experian, and Innovas is the U.S. Fair Credit Reporting Act, which requires the companies to give you access to your data once a year and allow for disputes. Most of the regulation in the industry happens at the state level. Maybe we need federal regulations that dictate what aggregators of U.S. citizen data can use data for. Maybe it is time for something like the U.S. version of the E.U.'s GDPR. The version I would advocate would not only require independent assessments of the security posture of data (which should all be encrypted), but would also restrict what data could be sold and who it could be sold to.
This issue could be far more important for us to focus on than the breach itself. Do we want companies empowered to aggregate data on our citizens and sell that to anyone with little or no oversight/regulation?
So, some concluding food for thought: Do you think Equifax is mad that our data was stolen because they care about our privacy or because it means someone got our data without paying them for it?
Some other resources to dive into on these topics:
- What The Board Needs To Know About GDPR
- CTOvision Cyberwar and Cybersecurity News
- Crucial Point on Cybersecurity Best Practices
- CTO Advisory Services/CTO-as-a-Service
- CISO Advisory Services/CISO-as-a-Servic