September 2017: On September 7, as Americans were riveted on Hurricane Irma as it developed into the Atlantic’s largest-ever storm, Equifax announced it had been hacked from mid-May through July. It reported that hackers accessed information for about 143 million Americans including Social Security numbers, birthdates, addresses and, for some people, driver’s license numbers. Credit card numbers and dispute documents for hundreds of thousands of individuals were also accessed, as was data for some consumers in Canada and the UK.
Even though more than half of the adult U.S. population has been affected, that is not why this hack is worse than all the rest. Here’s why:
1. The stolen information is exactly what thieves need to steal identities, open fraudulent accounts, and pull off major scams.
Each accessed Equifax credit file contains the information that banks and other creditors require to open accounts, loans and mortgages and conduct other financial transactions. In comparison, Target and The Home Depot hacks only got credit card data. So, while those hacks were a major problem, neither was likely to ruin customers financially.
The information stolen from Equifax is completely different. With an Equifax file in hand, a criminal has an excellent chance of convincing a customer service rep that they are indeed that person — plus, the information provides answers to online security questions so they can likely gain bypass humans altogether, even for major transactions. They could fraudulently apply for and receive government benefits, for example, or file tax returns to get the refunds. They can also get medical services and even commit crimes. If a stolen file belongs to a wealthy person, the criminal might even make the effort to impersonate that person in real life, complete with a fake driver’s license with the real driver’s license number.
In the post-Equifax world, identity theft has never been easier.
2. The six-week delay between discovery and disclosure exposes how the lack of regulation puts every American at financial risk.
Headquartered in Georgia, Equifax was able to legally keep the breach a secret for many weeks. There are no federal laws or industry standards requiring entities to report breaches — states determine their own security breach notification laws. And while Georgia law has some requirements about breach disclosure, it does not specify a timeline. Only eight states do have timelines and they vary from 15 days to 90 days. In contrast, the European Union is about to enact a 72-hour notification requirement.
State laws also vary greatly when it comes to other requirements, including which parties are subject to the law, the definitions of personal information and of breaches, notification thresholds (such as the number of people affected or potential damages involved) and notification requirements (by email, phone, etc.), and other stipulations.
Equifax made its announcement about 40 days after discovering the breach. And the breach began about 75 days before the discovery.
Within a couple of days of the discovery, on the other hand, three Equifax executives, including the CFO, sold $1.8 million in Equifax stock but say they hadn’t been informed about the hack yet.
Without clear, consistent regulations across all 50 states that puts consumer protection before corporate protection, the risk to individual Americans’ financial security, privacy, and identities will be at even greater risk as hackers steal more information.
3. With about half the country’s credit data in the hands of hackers, the U.S. needs to reassess how we manage data and evaluate creditworthiness.
Are credit agencies TransUnion and Experian next on the hacker hit list? Since all three credit agencies have the same data set, would additional hacks even matter? Now that all of this data has been compromised, how can it still be used as the basis for opening accounts, transferring funds or granting loans?
The Equifax hack is worse than every other hack because it has changed reality.
The new reality is we need to evolve because the system can no longer work. We need to look at fundamentally different ways to deal with money and transactions in the digital age — online shopping, banking and other digital financial transactions aren’t going away and neither are the hackers. So while we’ve managed to stay relatively secure while bridging the old credit world with the new digital world, the Equifax breach blows all that up. Digital currencies like Bitcoin and the one the Chinese government is developing, blockchain technology and other purely digital approaches to financial transactions are probably part of the solution, in addition to limiting the amount of data companies can collect, requiring them to encrypt stored data, and reducing the length of time they’re allowed to store it.
Equifax has now released some details of how the hackers got into its system — they exploited a flaw in Apache Struts 2, a web app framework. A patch was made available in March and apparently Equifax knew about the need to patch all vulnerable systems but it missed a system. As of this writing it doesn’t appear the hacked information has made it onto the dark web yet, which means the thieves could be sitting on it for now. One thing is certain whether you believe your information was hacked or not — to guard against identity theft, freeze your credit with all three agencies if you haven’t already.
The Leapfrog team spends a great deal of time thinking about cybersecurity issues and the bigger picture. We think about what makes Equifax and other organizations vulnerable to begin with, which factors need to be addressed to avoid those risks, and how security gaps and the related solution (or non-solutions) impacts the company and relates to the rest of the connected world. Whether we’re designing systems, managing networks and infrastructure, ensuring business continuity, or simply having a conversation with clients about their IT roadmaps, we bring our latest thinking with us. If you’re interested in our point of view on how cybersecurity issues can impact your unique organization, please contact us.