The Wall Street Journal Pro Report of December 19, 2017 was devoted to the issue of Cybersecurity. The chilling reality is that national governments, state and local governments, businesses and individuals are at risk of being attacked at any time by cyberthreats. In our post today, guest blogger Jason Clause of Endsight discusses the Equifax data security breach and what we as business people can learn from it.
The Event
The Equifax data breach was one of the most serious in history. Consumers and businesses were shocked when Equifax announced on September 7 that more than 140 million people, adults and minors alike, for all intents and purposes, had their identities stolen. Names, birthdates, social security numbers, and other personally identifiable information were hijacked through an elementary vulnerability in Equifax’s customer-facing website. The breach left millions vulnerable. Businesses and governments have been affected as well, as they struggle to confirm the validity of the data they receive from Equifax and look to methods to safeguard the data for which they, themselves, are responsible. Lessons can be learned, and, as consumers and businesses apply these lessons, they will become better equipped to handle today’s big data environment.
What is Equifax?
Many consumers had never heard of Equifax when the data breach was announced. Once they learned, anger mounted as consumers wondered how a company they had never heard of had obtained so much of their personally identifiable information and then failed to adequately protect it from hackers. Equifax is in the business of collecting, analyzing, and reporting on data. Although it is not clear where they source all of the information they store about consumers, much of it comes from credit applications. Equifax is one of the “Big 3” credit reporting agencies (CRA), as are TransUnion and Experian. The information they collect is mostly used to help lenders assess how much of a risk a consumer may be when applying for credit or taking out loans. Companies from which an individual has taken out a credit card or loan in the past send consumer information to each CRA on a regular basis. Banks, not just private lenders, also send Equifax consumer information. So, anyone who has ever had a checking or savings account was fair game for hackers, including minor children who have their own or joint accounts with a family member. The purpose of CRAs and their cooperation with businesses such as creditors, is to help those in the lending industry know whether a consumer pays their bills on time and should be extended credit, or whether that consumer is so overextended that a lender would have little hope of getting back their money back. Scary as they can seem, CRAs really do protect the economy, as they protect businesses from people who are less likely to pay their bills or pay bills on time.
What Happened and When?
The Mid-May to July 2017 Equifax data breach was publicly announced on September 7, 2017. A previous breach in March 2017, which Equifax claimed was unrelated to the larger breach, was announced to the public days later. Equifax had already been under investigation for the March breach when the second breach occurred. Personally identifiable information, for nearly every U.S. adult, as well as a great number of children, was stolen through an attack on the Equifax servers. Software that was used to build the credit report dispute portal of the Equifax website allowed cybercriminals to access Equifax servers through the Equifax website. Equifax waited months after they knew of the breach before they announced it. What makes this even more egregious is that Equifax has said they even knew about the flaw in the software months before the breach occurred and tried, but failed, to patch the flaw.
What are the Implications?
The Equifax data breach brings with it many implications, the first of which is consumer identity theft. Business owners should be very concerned about the implications. CEO impersonation scams and wire fraud are real possibilities. The biggest problem is that much of the information that was stolen, unlike passwords, is information that cannot be changed. With few exceptions, nobody can change their mother’s maiden name, where they lived in the past, or their social security number. The potential for identity theft after the Equifax breach is so great that the Social Security Administration has expressed interest in finding a new way to identify consumers, as it becomes more concerned over tax fraud, stolen retirement and disability funds, and the overall health of the economy in the information age. Besides tax fraud, there are other serious risks, including:
- A thief taking credit or employment in someone else’s name;
- Stealing from consumers in the form of intercepting government checks;
- Impersonating someone at a hospital to obtain healthcare or health information;
- Risk of a report of criminal behavior in your name of someone using stolen identification who is arrested;
- Online impersonation of you using stolen identity information; and
- Voter fraud using stolen identity information.
What To Do
Consumers can take a variety of actions from precautionary to preventative. Precautionary would include registering with an identity theft protection service like LifeLock, IDSheild, IdentityForce or another such service provider of which there are many. Some may want to take even more aggressive preventative action and pull and freeze credit reports for themselves and everyone in their household. Even children, who generally do not have credit reports, can be vulnerable to identity theft, so guardians should see if their children have credit reports that may have been compromised as they check their own. Password questions and answers should be reviewed regularly, now more than ever. Typical questions, such as what street someone grew up on, mother’s maiden name, and make and model of a first car, can now all be answered by anyone who has access to stolen Equifax records. Businesses have been affected by the breach, as well. Businesses are spending more time and money confirming the validity of the information they receive from Equifax and from consumers. Online retailers, especially, face an increased risk of dealing with fraudulent transactions and all the associated costs.
Lessons Learned
Tragic as the Equifax data breach is there are valuable lessons to be learned from it. The vulnerability of data and information is a reality of the fast paced life we live in the information age. I suggest all consumers regularly pull and check and their credit reports for errors and fraudulent activity. Businesses too need to step up their game. They need to protect consumer data by reaching out to providers regarding security analytics and spending the time and resources that Equifax declined to spend. Consumers don’t have nearly as much control over their own information as businesses do. Thus businesses are usually in a better position than individuals to safeguard their information. To protect their business interests as well as to protect consumers, businesses should re-evaluate their disaster recovery plans and be prepared to spend the time and money required on security to protect one of the most valuable assets a business can have today – consumer information and identities.
About the Author
Jason Clause is an East Bay IT Consultant @ Endsight and the host of the “The Jason Clause Show,” a podcast dedicated to helping busy managers find and share good ideas about the craft of business management. Topics include, IT security, communication, leadership, team building, productivity and technology. You can find the show on iTunes or at www.jasonclause.com