The Hard Security Lessons of Equihack

The Hard Security Lessons of Equihack | Defined Ventures, Inc.

The blurring of the lines between the real world and the digital world is one reality of the age we live in. What’s becoming increasingly apparent over time is that the online data world is here to stay, whether we like it or not.

Think of how much time you spend on social media, whether you’re connecting with friends, researching information, or simply browsing the internet for leisure. It’s easy to forget just how much information you reveal about yourself in the run of the day while engaging in these activities in the digital landscape.

Even just shopping on sites like Amazon shares your private information across online networks; without data security, those transactions can place your information at risk.

The data breach Equifax suffered nearly two months ago is proof enough that breakdowns in the digital world have real-life implications. Millions of consumers had their information made vulnerable due to a single poorly-contained digital security breach, and to make matters worse, most weren’t informed until months later.

The fact that Equifax is one of America’s most trusted credit bureaus also has many asking just how reliable they truly are in the first place.

Today, we’ll explore what happened in the Equifax hack and why it’s a reminder of the need to improve digital information security.

Data Breach Fallout

Data breaches can happen to nearly any company at any time. What matters most is how that company handles the fallout or corrects the issue.

Perhaps the greatest sin of Equifax’s reaction is how long they waited to inform anyone about what happened. We heard about the data breach six weeks after the damage was already done — much too late for most consumers to effectively take action and protect their identities.

The numbers speak for themselves and put the situation into perspective. Around 143 million individuals had their information compromised, including consumers from both the United States and Canada, making the Equifax one of the most impactful data thefts in the last 10 years.

Worst yet, experts still can’t even estimate the full extent of the damage. Many expect that, once the dust settles, it will prove to be the most devastating breach yet.

It isn’t all bad news; this event’s impact on the U.S. economy isn’t as devastating as it could have been, mostly thanks to Equifax’s global nature. They have branches in Europe and Canada, reducing the impact any one country suffered from the attack. Still, the reality is that a proactive approach with transparency may have effectively prevented further fallout from happening at all.

Why the Delay in Communication?

It seems unthinkable such a large credit reporting company can get away with this incredibly long delay in communication. With a closer look, we find that corporations (including Equifax) aren’t typically bound by a legislated timeframe to communicate data breaches. There’s also a precedent, or at least priority, of protecting the company’s interests over the consumer’s, and that’s a serious problem.

For starters, Equifax’s HQ operates in Georgia. This is one of the many states with lax data breach laws that don’t demand very much in the way of disclosure. In defense of Equifax, there are legitimate reasons why these companies would want to keep that information out of the public eye for a time, but six weeks is just plain excessive.

As for those pre-mentioned reasons, companies may believe law enforcement agencies could hinder or disrupt their own investigations of the issue. Tracing the source of a hack is a delicate process that becomes more troublesome the longer the investigation continues. Often, the issue is that companies like Equifax underestimate (or fail to realize) the effects of data theft in the first place. Or, they may realize the potential negative publicity will permanently damage their business, and thus, may attempt to hide the issue before releasing a definitive statement and committing to that story.

This is not to excuse Equifax from their lack of communication or to imply the delay was mainly due to self-interest. Data thefts are not only bad for business and consumer trust; they also create a PR nightmare for the company. Naturally, companies will do whatever they can to control their outward appearance and reputation. The length of time, on the other hand, shows few signs that Equifax had their customers’ intentions first in their mind, at least starting out.

Another troubling aspect of this event is the departure of Equifax executives that sold off company stocks before the public announcement. Although we can only speculate on their true incentives for leaving, many experts find the connection dubious.

What’s clear is these executives had no faith in Equifax’s ability to recover from their data breach, and it appears those concerns were justified. Equifax’s stocks have dropped over 18 percent since the announcement.

How Do We Move Forward?

For companies seeking to learn from Equifax’s failures, now is the time to begin finding ways to improve on data security and consumer protection. Equifax’s errors are a lesson in what can happen, both with shoddy protection and with a poor public response.

This issue is raising plenty of questions. Should companies investigate their own data breaches in the first place? Should companies be required to release breach info immediately? Is prevention more important than today’s companies let on?

There’s some debate on each of these points. Many cybersecurity experts believe companies should have more time on their own to fully assess the damage and wide-reaching implications of data theft. They believe it’s better to have more control over their situation and reduce the number of variables with their investigation, and feel such an approach allows for faster mitigation.

Others (including many consumer protection agencies) believe businesses should be more transparent and open with their investigations from day one. Their philosophy holds that security protocols are easier to improve with more access to information regarding data breaches.

There are merits to both sides of this argument, but more transparency seems to hold more weight in its argument. It seems that companies who hold vast amounts of consumer data aren’t capable enough to have all power over the flow of information and communication. The fact that Equifax (and other companies who fall victim to data breaches) haven’t sufficiently proven their competency in preventing hacks is, perhaps, proof enough.

Data Collection Questions

Data collection is another hot topic with businesses like Equifax. They acquire data regularly, sometimes even without the consumer’s knowledge, and store it for future use. New laws to prevent rampant data acquisition and reduce the amount collected may help to increase security and privacy by preventing unnecessary information storage. These laws may even limit the amount of time data is accessible before hard deletion.

Currently, there’s little to no limit on how much or how often a company can access consumer data, and that produces a continuous need for management and security. Current corporate hacking trends are telling businesses that we need a change in legislation to reduce the vulnerability of user information.

The problem with this type of legislation is that it can be very limiting. Authentication of one’s identity is a good security method, but it requires sensitive consumer information for long-term storage. Safety questions that need the user’s social security number, mother’s maiden name, and other confidential information are questionable in their effectiveness, especially since hackers who gain access to one site may use the same information to access others. It’s precisely this kind of information that is easier to hack and exploit as opposed to strings of random numbers and letters for passcodes.

Data encryption is another potential fix, but it’s sorely lacking in the corporate world right now. The most reliable software and enterprise platforms use it to ensure absolute protection, but smaller companies and newcomers  may lack encryption literacy that creates unwanted holes for access.

The Need for Improved Communication

The final and perhaps most important lesson here is that companies like Equifax need to improve their communication methods and transparency, point blank. America may require new legislation to require businesses to inform the public about data breaches promptly, as it just doesn’t seem like many companies are making it happen on their own. The lack of regard for consumer protection and enlightenment of data theft is a worrisome trend in modern business practice. It shows that companies like Equifax are either insensitive to protecting their consumers or hold their own interests far above all others.

What lessons can we learn about the Equifax data breach and how can we work to improve data security and consumer protection? The topics we’ve covered here today are just the beginning. There’s no one easy answer to these questions, but there are some universal guidelines these companies should take to heart. Quick action, increased transparency, and improved communication will pave the way towards a better and safer experience for consumers and businesses alike.

Leave a Reply