It’s been nearly a week since Equifax went public with knowledge of a massive data breach—perhaps one of the biggest to date. There’s no word yet on who is or isn’t affected, but it’s very likely that 143 million Americans (45% of the U.S. population and 80% of those who have a credit report) are now at risk of identity theft.
What data was compromised? SSNs, birth dates, and addresses for certain, followed by driver’s license and credit card numbers for an unlucky few. The impact this will have on Americans, and even the Britons and Canadians who were affected, is staggering.
Data breaches may be as familiar as breathing by now, but this one’s no drop in the bucket. Equifax’s loss has tremendous implications, prompting questions from consumers around the world: what does it mean for us? What should we be doing to protect our information right now? How can we be sure this won’t happen again in the future?
These are important concerns. Until they’re answered, consumers should take every available precaution, including putting an alert on your credit reports (or freezing them altogether), to limit the damage that could come in the aftermath of this breach.
But these aren’t the only questions we have. If onlooking cybersecurity teams aren’t discussing how the Equifax data breach stands to change the way we view our security practices, it might be time to kickstart that conversation—preferably before the next shattering data breach.
Here’s what we think are the most important takeaways from this event.
We Need Better Security and Encryption Practices
Equifax may not have kept consumer information properly secured
It’s one thing to have a data breach. It’s another thing to have an unencrypted data breach, and unfortunately, Equifax (as of September 13th, 2017) has yet to clarify whether the database compromised was secured at rest. If it was, America’s mass panic might temper a little. Hackers need access to encryption keys in order to read, and use, the information they stole. Without those keys, the data is virtually useless.
Others are also unsure whether or not proper encryption was used. This article from The Street, an American financial news and services website, reports: “While Equifax has not revealed the specifics of the hack, either the databases were not encrypted or the ‘application vulnerability that was exploited provided authorized access to the data in an unencrypted state,’ said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company.” Outlets like ABC News and several security experts in the industry hold the same uncertainties.
Until Equifax clarifies the security status of what was stolen, everyone should operate under the assumption that their personal data—social security numbers, addresses, birth dates, etc—wasn’t secure, and take proper steps to reduce the risk of identity theft.
Are you worried your data was affected? Follow recommendations provided by the FTC on their website.
No matter what statements are released in upcoming days, weeks, and months, it’s clear we need to scrutinize the way organizations encrypt sensitive information. Perhaps it’s time to look closely at our current business processes and develop better cybersecurity practices.
What do we hope to see in the aftermath of this breach?
- Companies using strong encryption and network monitoring software
- Encrypted data in transit and at rest. Always. No exceptions
- Mandatory multi-factor authentication (MFA) for user access
- Better use of alert messages when faced with strange activity (or more normal activity than usual)
- Frequent security audits and employee training sessions
- Monthly identification of unusual network devices, applications, or connections that could allow hackers to exploit a backend database or unchecked website vulnerability
The Equifax data breach has brought the issue of cybersecurity to light for many onlookers: companies, security professionals, public consumers. Since Equifax fell short on their promise to protect the data they collect, we’ll probably see updates to the way the industry enforces encryption and security in the near future.
We Need to Remember that Customers are Real People
Equifax has not explained how they will prevent future breaches
In the days following the breach, Equifax has been hesitant to discuss details about the incident, leaving people to wonder what steps they’ll take to secure their data now or how they’ll anticipate and prevent future attacks. How, exactly, did the breach happen? Who, exactly, is at risk? What, exactly, will happen to consumers who are affected?
This brings up the final change we hope to see in the future: organizations taking cybersecurity practices seriously. In a rush of business decisions and company goals, it can be easy to tick security off a long list of to-dos or see a data breach as a blow to financial numbers and incoming sales.
But who really hurts from ignoring good cybersecurity policies? People. Individuals and families who, impacted by the exposure of their personal data, may struggle to rebuild their finances and identity. They trust organizations like Equifax, Verizon, Google, and Chipotle to secure their information.
And with each data breach, organizations are failing to make good on that trust.
The industry’s view of customers, clients, and consumers needs to shift if we’re ever going to seriously prevent the next onset of cyberattacks. Their data should be treated as sacred, not just a row in a database. The potential lasting impact for each person affected by a breach is far too great to think otherwise.
If we choose to learn from the mistakes of modern data breaches, we might, just might, chart a different course for cybersecurity.
If we don’t? Nothing will ever change.
