Equifax breach a nightmare that should serve as wake-up call for feds

The American public has had several days to allow news to sink in regarding the massive data breach at credit monitoring agency Equifax. Information regarding more than 100 million Americans was stolen, and the company’s primary response, to offer credit monitoring, has been widely derided. Although not the largest data breach, this one is one of the most serious because of the sensitive content purloined.

Since disclosure, the technical security community has chastised the company for its poor posture of defense and responses to the incident. Also of concern, the Securities and Exchange Commission is investigating stock sales made by executives after the breach occurred, but before it was disclosed. Security blogger and researcher Brian Krebs, a respected journalist in the field, wrote:

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social Security numbers and other information on 143 million Americans.

{mosads}Why should we care? Because in our information-centric finance markets, everyone relies upon the credit reporting agencies for the information that ultimately decides what we pay for anything on credit. The entire credit reporting industry has had its issues with customer service, error prone records and numerous regulatory missteps. But this breach far exceeds any of them. It is in the same league as the 2015 data breach at the Office of Personnel Management, in that Equifax pooled so much sensitive information – not just Social Security numbers, but significant account information as well, including credit card data in one place. In addition, something not much talked about is whether the integrity of Equifax’s data repository was subverted. Were records for individual credit reports altered by those who gained unauthorized access? It’d be nice to know.

Equifax has demonstrated through its systematic incompetence that it should not be trusted with a large cache of information that could potentially wreck our economy. Credit ratings set interest rates, interest rates set economic activity, and it’s now clear that at least one of the major players in this industry has not done due diligence in maintaining the security of their core business. 

Again, from Brian Krebs:

The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers. 

In Europe, many of the practices which Equifax and other data brokers “make piles of money” from are simply not allowed. Since 1995, the European Union Data Protection Directive has served to inform EU citizens as to how their personal data are collected, processed, disseminated, and protected. This law was recently updated and will go into effect next year. There is no similar law in the US. We don’t even have a uniform data breach notification law. 

Lawmakers should consider investigating and possibly banning data brokering by the credit bureaus. It is one thing for credit bureaus to inform lending establishments of consumer creditworthiness, but another for them to serve as behind the scenes marketing intelligence firms. So long as these companies cannot protect their data resources, they will harm U.S. consumers, financial institutions, and government through the countless cases of identity theft that incidents like the Equifax breach enable.

At the national level, a fundamental examination of the data brokering business is required. University of Pennsylvania computer scientist Matt Blaze argued, “Equifax was negligent to spill all that data, but a business model that requires all that data in one place is itself a form of negligence.”

Equifax was negligent to spill all that data, but a business model that requires all that data in one place is itself a form of negligence.

— matt blaze (@mattblaze) September 9, 2017 

What Equifax and others have done in concentrating massive quantities of personal data simply is not desirable in our time of cyber insecurity. Private firms and government agencies that maintain such data stores need to be regulated concerning protection and isolation of the data. Leaving this issue to current market driven action is to continue down the road of failures. There is no perfect solution, for even well prepared firms such as some of the big banks have failures, but not of the glaring magnitude of Equifax and OPM.

The Equifax breach reinforces the need for three new pieces of policy:

1. Enacting national data breach notification regulations with true penalties of significant magnitude designed to alter corporate behavior;
2. Separating the credit reporting and data broker business functions, which may mean banning some of the latter activity; and
3. Regulating all entities that have significant data stores to include best practices for information security.

These steps may cause upheaval, but changes are needed to safeguard American’s information, financial, and national security. We have had plenty of wake-up calls. No company in the business of warehousing or brokering data can pretend to not be at risk. It’s time for regulatory intervention.

Chris Bronk and Wm. Arthur Conklin are professors at the University of Houston. Conklin is the Director of UH’s Center for Information Security Research and Education.