On September 7, Equifax announced that it had experienced a cybersecurity incident. With approximately 143 million user records compromised, it may not have been the biggest breach in recent history, but it might turn out to be one of the most significant because of the type of data compromised and because the breach directly affected almost half of the U.S. population.
We’re living well and truly in the digital era, where data has become the new oil, and everyone is trying to get their hands on it.
To take this a bit further, raw data is akin to crude oil – in many instances it needs to be refined to be usable for a specific process. This refinement process can take on many forms: an algorithm that analyzes for trends, a statistical analysis, or something more basic, like filtering it based on location or gender. Data is often used for a variety of different purposes depending on its volume and how much it has been refined – and each type of data can serve a particular purpose. As a result, all types of data, ranging from personal and financial data to seemingly benign information shared through WiFi hotspot locations, are increasingly being targeted.
While companies of all sizes across all verticals are experiencing an influx of attacks and data breaches, the Equifax incident was unique in several ways that make it worth looking at more closely.
3 ways the Equifax breach is different
The Equifax breach is distinctly different from other similarly large breaches – most notably because many of the individuals impacted weren’t actually Equifax customers. The credit bureau had obtained much of its information through business dealings with other organizations. Like Equifax, many companies have access to personal data that originated elsewhere, and this complexity makes it difficult for individuals to understand just how far their digital footprint extends. This is one of the main reasons why supply chain security is vitally important, because knowing who has access to your data, and for what purposes, can help with mitigation and recovery in the wake of a breach.
The second aspect of the Equifax breach which is unique also stems from the fact that so many of the impacted users weren’t Equifax customers. In this case, impacted people can’t simply close down their accounts and take their business elsewhere, because they were never a customer to begin with.
The third difference lies in the nature of the information that was breached. It consisted largely of names, addresses, dates of birth, and social security numbers. Such data, unlike credit card numbers or passwords, are almost impossible to change or replace. Like a genie let out of a bottle, once information like this is released, there is no easy way to put it back in.
When incident response becomes an incident itself
A company’s incident response should be planned and prepared well in advance of an actual incident occurring. Attempting to formulate a plan during an incident is a recipe for disaster.
One of the most concerning aspects of the Equifax breach has been the lack of transparency and information provided in the aftermath. Equifax didn’t offer any clear guidance around how affected individuals could place a credit freeze, or any explanation around the potential dangers of identity theft.
Many critics, with no real insight into the operation of the company, have focused on unrelated issues, such as questioning the academic qualifications of the Chief Information Security Officer (CISO), and debating whether the right level of patching had been deployed. However, the fact of the matter is that the lack of patching – and general lack of security hygiene – revealed through this breach aren’t issues isolated to Equifax. These are challenges faced by nearly every organization with connected systems (which is pretty much all of them). These issues won’t get resolved by pointing fingers or by formalizing the education needed to be a CISO.
Perhaps these conversations are a result of ‘breach fatigue’. Every few months for the past few years, the world has faced another huge breach (see, recently: HBO, CeX, GameStop, OneLogin, Anthem, Sabre Hospitality, Wolf Creek nuclear facility and many others), and people are no longer surprised when they hear about another major breach. Eventually even a huge, far-reaching breach like Equifax can fail to stimulate the right discussions, with the bulk of conversations remaining fixated on small issues with little general relevance.
Regulators, regulate!
Lawyers are queueing up around the block to file lawsuits against Equifax for not preventing the breach, in what promises to become a long and protracted affair. This is to be expected, as legal woes are increasingly common for companies after a breach, whether it’s facing lawsuits from affected customers, or in some cases, filing their own lawsuits against partners or third-party contractors for their lax security.
It’s time to reform the U.S. regulatory market to provide better protection for citizens and their data (much like GDPR’s objective in Europe).
Equifax – an environmental disaster
Perhaps the biggest danger in the Equifax breach is that the breached user details will be circulated amongst criminals indefinitely. Therefore, much like the impact of burning fossil fuels on the climate, the full impact of the Equifax breach may not be felt for years.
This will also make attribution difficult. If a user’s identity is stolen two years from now, it will likely be impossible to determine whether or not the criminal leveraged data leaked in the Equifax breach. Similar to the slow but covert contamination of a river from a nearby factory, it will be possible to point to the Equifax breach as the probable source; however, without being able to verify the culprit and prevent the damage earlier, by the time the impact is felt, it may already be too late.