By letting the Equifax breach go unexamined, the Consumer Federal Protection Bureau (CFPB) is permitting a world more vulnerable to fraud, insecurity, consumer inaction, and third-party risk — a menacing combination.
Your personal data is highly valued — not just by you, but also by cyber criminals. There is a thriving economy for stolen and leaked data. For precisely this reason, the Equifax exposure differs in scale, size, and scope than previous breaches.
{mosads}With stolen or leaked data, only monetization matters. Cyber criminals are generally agnostic about the type, origin, or owner of the data — and the better the packaging, the easier the sell. To this observation, resignation is the most common reaction: “Why would a cyber-criminal target me? I don’t have a high credit limit. And even so, my bank will credit my account and send me a new card.”
This apathy is dangerous. Whales don’t target individual krill. They consume opportunistically and in mass quantities. While incidental, a whale’s appetite is no less dangerous for the krill.
What is the actual, tangible impact? Like contemplating the ocean, it needs boundaries to provide meaning. Here are four clear impacts from the Equifax data breach:
- People are overwhelmed to the point of inaction. The constant drumbeat of breaches has not instilled fear in people, but fatigue. Consumers are exhausted with steady headlines of their sensitive data being leaked or stolen. Rightly so, since an individual has limited options: freeze credit, stay vigilant, and become (more) paranoid. Affecting nearly half the U.S. population, the Equifax breach spread a virus of resignation: “Well, my data is already out there.” And for those that did not transform into zombies of indifference, the reaction is one of fuzzy significance. A fraudulent charge for $50 here and a fake ID there — where does that money go and who cares? At the scale of individual accounts or people, the impact seems minimal, though, of course, people’s lives can be ruined. On an aggregate scale, the consequences pile high and last long.
- Stolen and leaked data fuels the supply chain of fraud, which funds crime, terrorism, and drugs. Exposed payment card and personal data are commoditized and power an accessible, active underground economy, especially on the dark web. More insidiously, terrorists, gangs, organized criminals, and rogue nations outsource fundraising to this community of cyber-enabled fraudsters. As with any enterprise, technology accelerates the speed and scale of businesses, even the illicit and illegal ones. The pseudonymous buyers and suppliers of data drive an ecosystem to launder money, obfuscate criminal operations, and sell drugs, namely, opioids like the deadly fentanyl. Post-Equifax, this underground economy is likely to experience an influx of goods, specifically, of qualified, credible, and curated personal data. Consequently, various forms of fraud abound: tax, insurance, health care, mortgage, and credit card.
- It will become even harder to prove that you are who say you are. Authentication relies on three factors: something you know, something you have, and something you are. Many organizations, including the government, use date of birth and a Social Security number (SSN) as proof of identity. Either those organizations must rethink how to verify identities or prepare for an irreversible weakening of authentication. While security hygiene like password managers and two-factor authentication are necessary, they are no longer sufficient. As my colleague Emily Wilson wrote immediately after the Equifax breach, this incident exposed “lifetime data” (names, birth dates, SSNs) which cannot be easily changed, if at all. For decades to come, the data exposed from the Equifax breach will ricochet around the dark web, challenge employers and governments, and persistently erode pillars of identity verification.
- Because of the Equifax ordeal, thousands of companies and millions of customers have been put at risk — not to mention the national security implications. Fraud affects everyone, yet there is little that a single person can do to protect themselves. Those individuals, however, also work at and transact with banks, hotels, retailers, and hospitals. Though larger companies might manage this third-party risk, the Equifax breach creates extensive information security vulnerabilities for under-resourced small and medium enterprises, particularly credit unions and regional banks. Even if these companies were not breached, they must react the same, monitoring for the exposure of their employees’ and customers’ credentials. Finally, the national security ramifications are harrowing. The United States’ adversaries and hostile intelligence agencies might use the Equifax data, if acquired, to fill in any blanks left by the OPM breach and the myriad milestone breaches since.
Faced with a confrontation, humans will fight, flight or freeze. After the Equifax breach, Congress castigated and called for change, but again, inaction won. (Currently, all 50 states are independently investigating Equifax, including the Federal Trade Commission (FTC), as well as 240 class action lawsuits.) Previous milestone breaches have failed to overcome this inertia, however, here are four legal, regulatory, and policy pathways that merit consideration:
- The GDPR model. If “another Equifax” happened later this year, Europe’s General Data Protection Regulation (GDPR) would require that company to disclose the breach within 72 hours of becoming aware of it, and face fees up to four percent of its total annual revenue. Although the US and EU fundamentally differ on privacy law, GDPR itself was modeled off of California’s SB1386 bill, approved in 2003.
- National breach notification. The battle at the CFPB aside, companies lack a federal mandate to disclose a breach; there are 48 different state breach notification laws involving personally identifiable information. Recently, three senators introduced the Data Security and Breach Notification Act, which criminalizes failures to report data breaches and mandates the FTC to standardize security procedures.
- FTC fines per record stolen or lost. Earlier this month, two senators proposed legislation that empowers the FTC to fine credit-reporting agencies. In their business models, TransUnion, Experian, and Equifax value each consumer’s record, and this bill suggests penalizing accordingly in the case of a breach or exposure.
- A national cybersecurity safety board. Two professors from Indiana University recently examined proposals to establish a cyber equivalent of the National Transportation Safety Board. Although the idea has been around for several years, given the parallels in the perils of transportation and cyber disasters, the Equifax breach could hasten the creation of this new investigative entity.
Continued apathy and inaction threatens our wallets, safety, identities and businesses. The CFPB has no excuses left for inaction.
Munish Walther-Puri is an experienced intelligence and risk analyst and chief research officer at Terbium Labs, a dark web monitoring company.