Equifax hack: What we learned

Published December 27, 2017
FOXBusiness

While 2017 was riddled with cyberattacks, including at the U.S. Securities and Exchange Commission (SEC) and global accounting firm Deloitte, the Equifax (NYSE:EFX) hack may take the cake in terms of both scale and consequence.

When unauthorized third parties gained access to one of Equifax’s portals, thanks to its failure to patch a software vulnerability, the personally identifiable information of more than 145 million consumers was compromised. That data included, among other things, Social Security numbers, birth dates and driver’s license numbers.

As experts grapple with improving online security, here are the lessons we learned from the Equifax breach.

You could be compromised for life

Due to the nature of the information obtained through the Equifax hack, compromised individuals are always going to be at risk online.

Social Security numbers and birth dates, for example, are two pieces of information that individuals do not have the power to change once they have been breached. So, once that information is out there, it will always be out there, and victims will be at the mercy of cybercriminals.

Social Security numbers are outdated

At every congressional hearing held by lawmakers, expert witnesses and CEOs agreed that the Social Security number is outdated. Even the White House has said that a new method of personal identification must be introduced.

“I feel very strongly that the Social Security number’s outlived its usefulness,” Rob Joyce, White House cybersecurity coordinator, said during a Washington Post conference in October. “It’s a flawed system. If you think about it, every time we use the Social Security number [we] put it at risk.”

While no formal solution has been publicly proposed, former Equifax CEO Richard Smith and a series of experts cited a public-private system as a viable option to improve security.

Joyce proposed a security system that uses a public and private key, or two random sets of numbers – one that is shared publicly and the other is kept secret by the owner. The two keys are mathematically related, so something encrypted and sent to the public key can only be turned back to its original form using the private key, for example.

Response time matters

Equifax said it discovered the breach in late July, but it did not notify the public until September. That raised concerns both among consumers, and lawmakers, especially since it’s Equifax’s job to protect consumer credit data.

Meanwhile, Uber waited a year to disclose a hack that it intentionally tried to hide from the public by paying hackers $100,000 to cover it up.

Events this year have brought the disclosure process for cyberattacks into the forefront of the national cybersecurity discourse.

SEC chair Jay Clayton has said the disclosure rules could use a rework. Three Democratic senators introduced a bill that would require companies to report any breach within 30 days, while deliberately attempting to conceal a hack could result in jail time for company executives.

However, Equifax didn’t just face criticism over its response time. On top of that, it engaged in a series of blunders as it laid out services for consumers to check whether their information had been stolen, including requiring them to agree to a clause stating that they wouldn’t join a class-action lawsuit against the company. That stipulation was removed after widespread public outrage. These missteps inflicted an additional layer of damage on the company and its reputation.

Consumer control may be the future

Former Equifax CEO Richard Smith and interim CEO Paulino do Rego Barros suggested that the future of data security at their company, and at other credit reporting agencies, may require them to relinquish control to the consumer. Equifax is working on a tool, expected to be available next month, which will allow consumers to lock their credit data for free, for life.

Barros acknowledged that Equifax currently owns consumer credit data, despite the fact that consumers have no choice in whether their information is collected and held by the company.