• United States




If data is the new oil, then Equifax just caused a huge environmental disaster

Sep 28, 20175 mins
Data and Information SecurityData BreachDLP Software

Examining the Equifax breach, its long-lasting impact and the need for more – and better – regulation.

Hacked, unlocked, unsafe.
Credit: Thinkstock

On September 7, Equifax announced that it had experienced a cybersecurity incident. With approximately 143 million user records compromised, it may not have been the biggest breach in recent history, but it might turn out to be one of the most significant because of the type of data compromised and because the breach directly affected almost half of the U.S. population.

We’re living well and truly in the digital era, where data has become the new oil, and everyone is trying to get their hands on it.

To take this a bit further, raw data is akin to crude oil – in many instances it needs to be refined to be usable for a specific process. This refinement process can take on many forms: an algorithm that analyzes for trends, a statistical analysis, or something more basic, like filtering it based on location or gender. Data is often used for a variety of different purposes depending on its volume and how much it has been refined – and each type of data can serve a particular purpose. As a result, all types of data, ranging from personal and financial data to seemingly benign information shared through WiFi hotspot locations, are increasingly being targeted.

While companies of all sizes across all verticals are experiencing an influx of attacks and data breaches, the Equifax incident was unique in several ways that make it worth looking at more closely.

3 ways the Equifax breach is different

The Equifax breach is distinctly different from other similarly large breaches – most notably because many of the individuals impacted weren’t actually Equifax customers. The credit bureau had obtained much of its information through business dealings with other organizations. Like Equifax, many companies have access to personal data that originated elsewhere, and this complexity makes it difficult for individuals to understand just how far their digital footprint extends. This is one of the main reasons why supply chain security is vitally important, because knowing who has access to your data, and for what purposes, can help with mitigation and recovery in the wake of a breach.

The second aspect of the Equifax breach which is unique also stems from the fact that so many of the impacted users weren’t Equifax customers. In this case, impacted people can’t simply close down their accounts and take their business elsewhere, because they were never a customer to begin with. 

The third difference lies in the nature of the information that was breached. It consisted largely of names, addresses, dates of birth, and social security numbers. Such data, unlike credit card numbers or passwords, are almost impossible to change or replace. Like a genie let out of a bottle, once information like this is released, there is no easy way to put it back in.

When incident response becomes an incident itself 

A company’s incident response should be planned and prepared well in advance of an actual incident occurring. Attempting to formulate a plan during an incident is a recipe for disaster.

One of the most concerning aspects of the Equifax breach has been the lack of transparency and information provided in the aftermath. Equifax didn’t offer any clear guidance around how affected individuals could place a credit freeze, or any explanation around the potential dangers of identity theft.

Many critics, with no real insight into the operation of the company, have focused on unrelated issues, such as questioning the academic qualifications of the Chief Information Security Officer (CISO), and debating whether the right level of patching had been deployed. However, the fact of the matter is that the lack of patching – and general lack of security hygiene – revealed through this breach aren’t issues isolated to Equifax. These are challenges faced by nearly every organization with connected systems (which is pretty much all of them). These issues won’t get resolved by pointing fingers or by formalizing the education needed to be a CISO.

Perhaps these conversations are a result of ‘breach fatigue’. Every few months for the past few years, the world has faced another huge breach (see, recently: HBO, CeX, GameStop, OneLogin, Anthem, Sabre Hospitality, Wolf Creek nuclear facility and many others), and people are no longer surprised when they hear about another major breach. Eventually even a huge, far-reaching breach like Equifax can fail to stimulate the right discussions, with the bulk of conversations remaining fixated on small issues with little general relevance. 

Regulators, regulate!

Lawyers are queueing up around the block to file lawsuits against Equifax for not preventing the breach, in what promises to become a long and protracted affair. This is to be expected, as legal woes are increasingly common for companies after a breach, whether it’s facing lawsuits from affected customers, or in some cases, filing their own lawsuits against partners or third-party contractors for their lax security. 

It’s time to reform the U.S. regulatory market to provide better protection for citizens and their data (much like GDPR’s objective in Europe).

Equifax – an environmental disaster

Perhaps the biggest danger in the Equifax breach is that the breached user details will be circulated amongst criminals indefinitely. Therefore, much like the impact of burning fossil fuels on the climate, the full impact of the Equifax breach may not be felt for years. 

This will also make attribution difficult. If a user’s identity is stolen two years from now, it will likely be impossible to determine whether or not the criminal leveraged data leaked in the Equifax breach. Similar to the slow but covert contamination of a river from a nearby factory, it will be possible to point to the Equifax breach as the probable source; however,  without being able to verify the culprit and prevent the damage earlier, by the time the impact is felt, it may already be too late.   


Javvad Malik is an award-winning information security consultant, author, researcher, analyst, advocate, blogger and YouTuber. He currently serves as a security advocate at AlienVault.

An active blogger, event speaker and industry commentator, Javvad is known as one of the industry’s most prolific influencers, with a signature fresh and light-hearted perspective on security.

Prior to joining AlienVault, he was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning. Prior to that, Javvad served as an independent security consultant, with a career spanning 12+ years working for some of the largest companies across the financial and energy sectors.

Javvad is an author and co-author of several books, including The CISSP Companion Handbook: A Collection of Tales, Experiences and Straight Up Fabrications Fitted Into the 10 CISSP Domains of Information Security and The Cloud Security Rules: Technology is Your Friend. And Enemy. A Book About Ruling the Cloud. He’s also the founder of the Security B-Sides London conference and a co-founder of Host Unknown with Thom Langford and Andrew Agnés.

Javvad has earned several professional certifications over the course of his career, including Certified Information Security Systems Professional (CISSP) and GIAC Web Application Penetration Tester (GWAPT). He’s also won numerous awards in recent years for his blogging, including the "2015 Most Entertaining Blog" and the "2015 Best Security Video Blogger" recognitions at the European Security Blogger Awards.

The opinions expressed in this blog are those of Javvad Malik and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.