A year after the Equifax breach, what security lessons have been learned?
It was right about this time last year when hackers exploited a web-application vulnerability in Equifax’s servers and siphoned out data from millions of customers.
While it took some time for the full details to emerge, we now know that the massive breach affected over 147 million users. Most were located in the US; however, it was reported that customers in Canada and the United Kingdom were also impacted. The stolen data included social security numbers, addresses, birthdates, even some driver’s license and payment card numbers.
The idea of our personal data being in the hands of criminals with unknown intent can be unsettling to say the least, but is there any silver lining now with the attack in our rearview mirror? Are we any safer or more aware? Or maybe we learned something that will help protect our personal information moving forward?
While it was reported that the breach happened between mid-May and July of last year, you probably recall that the headlines didn’t catch fire until early September—which is when Equifax publicly announced the breach. From that point on, people began frantically searching for answers. Was my data stolen? If it was, what should I do? Should I freeze my credit?
Regardless of the questions that were asked, one thing was certain: Organizations and individuals were concerned about security, and in many cases, they became more aware of the implications associated with a breach and even took initiative to protect their assets and personal information.
Sometimes we all need a push in order to make a change, and in this instance the Equifax breach turned out to be the motivating factor. A breach of this magnitude can act as a wake-up call to people who maybe don’t understand the risks associated with unsecured data, or how easy it can be for cybercriminals to gain access to it. We’ve seen organizations become more alert, and the timing couldn’t be better if you look at the numbers.
The recently released 2018 Identity Fraud Study states that the number of identity fraud victims in the U.S. has gone up over the past three years. However, the more people who become aware of the risks and take the necessary steps to protect themselves, the better they can keep themselves out of studies like this one.
Along with better awareness, we’ve also seen security spending continue to increase and security technologies continue to improve. In fact, Gartner forecasts worldwide security spending will increase again in 2018, citing “regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy” as the reasons for the increase.
This is a good sign as well; however, as we see organizations and individuals make progress on the security front, that doesn’t mean we’re in the clear from the Equifax breach.
All the data that was stolen is long gone and in the hands of criminals. We have no idea when or if they’ll try to use it to their advantage, but we should prepare like they will whether that’s today or in five years from now.
It’s also important to remember that as time moves along, we generate new personal information and data that criminals will value, so we need to do our best to make sure that the same thing doesn’t keep happening to it.
With the personal information that was stolen, criminals can potentially gain access to existing accounts or open new accounts in your name, pull off a tax or medical fraud, or even use your name in a criminal case which could land you in jail. LifeLock has a great post about the many types of identity theft.
These potential scams are a great reminder that we still need to take our information security seriously whether that’s looking out for any associated scams that may come about from the Equifax breach, or just taking the right steps to protect the new data we accrue as the years go by.
Here are a few quick tips that might help:
Keep your software updated – Anytime an organization or individual is alerted to a software update, it’s worth taking the time to complete it. Software updates often include security patches for discovered vulnerabilities, so running the updates are well worth the time.
Use Multi-factor authentication (MFA) wherever possible – By leveraging the option to log in to accounts through MFA means that even if a criminal has a user name and password, they still won’t have the unique code that will be sent to an employee or individual in order to gain access.
Use an identity theft protection service – It’s nearly impossible for many IT departments to keep track of all of the personal information they hold. There are some helpful services available that protect identity by monitoring activity that uses personal information. The organization will receive important alerts when any potential threats arise.
Create strong and unique passwords – Along with using MFA wherever possible, one of the worst things an employee or individual can do is use the same few passwords for all of their accounts because if your information is stolen, criminals will be able to access more than just that one account.
There are password management tools that can help with this, but it’s easy enough to remember that all of your passwords should be different, and not something that can be easily cracked by a crafty criminal.