What the Equifax breach means to me — an end user perspective

My daughter started first grade last week, and I received a note encouraging me to sign up for the Bloomz app — a tool that teachers can use to communicate with parents. 

Knowing that these apps collect data and often share them with third parties — and that those third parties are often weak links in the security chain — I was tentative. I told the teacher I wasn’t comfortable with it.

A couple days later, my inbox was flooded with insight from industry experts who wanted to weigh in on the Equifax breach. As each day has passed, though, the number of emails is dwindling. 

This breach is no different from the countless others that have made the headlines. When I first started writing in this industry, everyone looked to Target as the example of a massive breach. Since then, it’s been everyone from Sony to Anthem, OPM, Yahoo!, and now Equifax.

But if breaches have become a dime a dozen with millions of people’s data in the hands of cyber criminals, does anyone even care anymore? 

I’m reminded of The Neverending Story when Morla, the Ancient One, admits, “We don’t even care whether or not we care.” 

The question to enterprises and the entire industry is whether you will be the resilient hero, like Atreyu, or stop trying, like his horse Ortex, who drowns in the Swamps of Sadness.

Equifax data added to the sea of stolen records

Andrew Bagrin, founder and CEO of OmniNet (previously MyDigitalShield) said, “The Equifax breach is the one that pulled down all of America’s pants. The information you kept closely guarded is now out there in the hands of the bad guys.”

While this may very well be true, the reality is that the sea of stolen records is expanding to the point where the cup of the bad guys is overflowing. Bagrin said, “There’s not enough bad guys to exploit all of it any time soon. The chances of your identity actually being used is low.”

That truth is the gateway to apathy. 

“The recent event at Equifax, similar to prior events at other organizations, once again targets the data,” said Dallas N. Bishoff, director of security services at  Stratiform, a PCM company. “All organizations with substantial data collections will remain targets. This week it was Equifax, but every week, most companies are at risk.”

There is no mystery about the best security practices that should be in place across all organizations. 

Ferruh Mavituna, president and CEO of Netsparker, said, “The Equifax hack is a perfect example that highlights how businesses can get bitten if web application security is not taken seriously. Researchers identified a cross-site scripting vulnerability on their website back in 2016, yet Equifax never responded to their reports and never fixed it.”

And while it is quite unlikely that the reported XSS vulnerability was the one that got them in trouble, Mavituna said, “It is clear that they are not following certain best practices; they are not forcing SSL on all their pages, and they have information leakages as highlighted by @notdan on Twitter.”

The reality of human behavior is that we follow the leader. These are the big guys — the leaders who are entrusted to collect and secure the personal information of their customers.

I’d like to think that this is a wakeup call, but I don’t know that it is, so I decided to give up the fight to secure my data and join the rest of the parents on Bloomz. I shop at Target and TJMaxx, I had a Yahoo! account, I’m an adult with a credit score. I’m out there, and some days I question whether it really matters at all. 

These are the challenges that security practitioners will continue to face as they fight to mitigate end user risks. What will happen if everyone just gives up and sinks in the swamp — if we just assume that our personal information is already in the abyss of stolen data and stop caring about what we click?