October top reader pick: Richness of exposed data makes Equifax breach among worse ever
News of the Equifax breach has been buried by the wall to wall media coverage of Hurricane Irma and, perhaps, by the fact that we have all become inured to reports of yet another major hacking of financial data. This is a mistake.
The Equifax breach appears to be far worse than previous breaches, with potential consequences of a totally different order of magnitude than the prior mass corporate hacks. Initial headlines focused on the number of impacted consumers, which is indeed breathtaking – approximately 143 million people according to Equifax.
In other words, the vast majority of adults in America.
Lost perhaps in that large number is a far scarier reality – the richness of the data that has been exposed is far worse than the data that has been exposed in prior breaches. According to Equifax, the hackers had “access” to the names, Social Security numbers, addresses, dates of birth, and, in some instances, driver’s license numbers of the affected individuals.
Losing control over 143 million credit cards would be very bad. Losing control over 143 million Social Security numbers, and their associated identity information, is far, far worse. This information is exactly the information that we rely on to verify someone’s identity. It is simply a gold mine for potential identity thieves.
If the hackers now have a copy of Equifax’s database (something Equifax’s statements seem to make deliberately unclear) it calls into question our entire system of tracking and monitoring credit with potential consequences far beyond Equifax’s ability to address.
In order to assess the potential harm in this instance, we must first know what Equifax means by “access”. Do the hackers have the ability to log in to the system to conduct searches? Could they download the entire database?
There is a world of difference between these two possibilities – the first is alarming; the second is a disaster. Moreover, does Equifax know anything about the identity or motivation of the hackers?
Knowing (or even making an educated guess as to) the motivation of the hackers would help clarify the risk. For example, if it turns out that the data was taken by a foreign spy service, for example, that might suggest that the hackers intend to use it to build a database of Americans they can use for espionage (for example, by figuring out who can be targeted for compromise by financial incentives or by blackmail).
If, by contrast, the data was taken by organized crime, we need to be prepared for a systemic attempt to use the information for fraud – by, for example, obtaining large numbers of loans through identity theft or mass filing of false tax returns to obtain refunds from the IRS.
Indeed, in the worst case scenario – exfiltration of this full dataset by a criminal actor determined to use it for maximum financial gain – it is hard to see how Equifax’s current business model could be sustained if it is true that information necessary to “prove” the identity of virtually any American is available to criminals.
Indeed, in that worst case scenario, we may be forced as a society to rethink how we confirm identity and track credit ratings, which would be a major disruption for the financial services industry.
So far, Equifax seems to be trying to downplay the seriousness of this issue – it has not said anything about the systemic risk this breach might have for the financial industry. Indeed, its initial response has seemed anemic.
Their apparent decision not to individually notify affected parties, but rather to set up a website that purports to tell consumers if they were breached only after consumers provide them just the sort of identity information they apparently failed to protect, does not seem like an ideal public relations decision. Whether it is legally sufficient is a matter that will no doubt be explored.
Their proposed remedy – an offer of a year’s free credit monitoring to any adult in the US – seems woefully inadequate in light of the fact that the apparently stolen information does not expire after one year.
Though the number of spectacular breaches in the past few years may seem overwhelming and may have left Americans almost numb to their impact, this latest breach is well worth attention – the early indications suggest is may be far worse than any of the headline-grabbing breaches we have seen before.