The views expressed by contributors are their own and not the view of The Hill

Equifax data breach is latest reminder of security lessons

by Raz Rafaeli, opinion contributor - 09/08/17 3:40 PM ET

The Equifax data breach this week has quickly become recognized as the quite possibly the worst breach in history. Although other hacks dwarf the Equifax incident in sheer size and volume, the Equifax breach is particularly severe due to the breathtaking amount of highly sensitive data it has left open to criminals. This includes credit card numbers for about 209,000 U.S. customers, as well certain “dispute documents” with personal identifying information for approximately 182,000 U.S. consumers.

In addition to the shock surrounding the hack itself, equally troubling is the fact that according to the company itself, Equifax was aware of “unauthorized access’ to its systems as early as late July. Which means that it has taken the company a solid month or more to inform the public. Furthermore, recent announcements by top Equifax personnel indicated that the company is “in the process of” contacting federal regulators regarding the details of the incident, indicating that the company hasn’t reported the breach to authorities since becoming aware of it, at least a month ago.

{mosads}There are two important lessons to be taken from the Equifax fiasco, details of which are still emerging. First, the breach calls into question the entire model of authentication prevalent in the world of information security today. Utilizing user personal details such as mother’s maiden names, social security numbers, and other security questions to authenticate users has once again been demonstrated to be an easily circumventable method for hackers to get around.

Second, is the lack of regulations in related to the reporting of cyber crimes. The fact that Equifax is just now revealing the breach and has only recently began reaching out to law enforcement and regulators, has made the potential effects of the leak exponentially worse. Victims of of unauthorized data access need to be updated immediately so they may take steps to protect themselves from the effects of exposure, such as cancelling credit cards, and becoming vigilant for sophisticated phishing attempts utilizing their personal information.

The laxness in which Equifax has gone about disclosing the breach highlights the needs for clear-cut standards on breach reporting. This is one of the most emphasized articles of European Union’s General Data Protection Regulations set to become European law next year. The regulations codify that any data breach will be reported within 72 hours of the initial identification by the victimized company. The negligence with which Equifax has gone about its reporting duties would almost certainly have subject the company to hefty fines under the General Data Protection Regulations.

Equifax does have presence in Europe, and the company did acknowledge that many U.K. customers were likely affected by the recent breach. This means that had this incident been shifted just a few months into the future, Equifax’s European assets would have been subjected to potentially enormous financial penalties. The lessons learned from the Equifax breach should give pause to both users and company heads alike when assessing implementation of security protocols, and what the responsible standards are for disclosure if and when breaches occur.