Equifax Data Breach Highlights Consumer Privacy Risks
By Doug Pollack - Article on September 22, 2017
- Cyber Security
- Data Breach Notification
- Incident Response
The Equifax data breach has thrown a spotlight on the issue of data privacy, and things may never be the same. It’s not just the size of the breach. Although it exposed personal information on over half the U.S. adult population, the Equifax breach only ranks 6th among the largest data breaches of all time. However, the scope and sensitive nature of the compromised information has consumers worried, and the fact that this could happen at one of the major credit bureaus has raised questions in many quarters. The consequences of this breach will be with us for years, so let’s look at what we know now and what may happen in the near future.
On September 7, 2017, Equifax reported a breach of 143 million consumer records that included Social Security numbers, birth dates, street addresses and, in some instances, driver license numbers. The breach resulted from a cyber attack, possibly by a nation-state actor, that began in mid-May 2017 and wasn’t discovered until July 29th. According to Equifax, the hack exploited a months-old vulnerability in the Apache Struts web framework. Apache had released a security patch for the problem in March 2017, and Equifax hadn’t installed the patch by the time the cyber attack began in May.
In response to the breach, Equifax put up a website where consumers could supposedly find out whether they were affected and, for a limited time, could sign up for a free year of TrustedID Premier, their 3-bureau credit monitoring service. The company has since added an offer of free Equifax credit freezes for consumers who sign up by November 21st, 2017.
Consumers flocked to the website, entered their names and SSNs, and quickly reported that it gave the same response no matter what information was entered: they “may” be affected by the breach. (Entering made-up names and SSNs yielded the same result.) The Equifax website and phone support were reportedly overwhelmed by people trying to place credit freezes and sign up for the free monitoring service.
The Federal Bureau of Investigation, Federal Trade Commission and the Consumer Financial Protection Bureau (CFPB) have all said they are looking into the data breach. The Justice Department has launched an investigation into two Equifax executives who sold large amounts of stock after the breach was discovered and before it was made public. The company’s chief information officer and chief security officer were “retired” in the wake of the breach, and Equifax stock lost nearly a third of its value.
The Equifax breach may have repercussions for years to come. We’ll talk more about these in upcoming blogs, but here are a few of the impacts that we’re seeing.
The Equifax breach has raised awareness of data breach risks and responsibilities to a new level. Consumers are particularly incensed because they have no choice in whether to deal with credit bureaus and no control over what personal information a credit bureau holds or how it protects that sensitive data. To date, over 50 class action suits have been filed against Equifax, some of which could set new precedents on the damages a breach victim can claim before there is evidence of actual identity theft.
The breach has also fueled discussion about the patchwork of state regulations governing data breach reporting and notification. For instance, while Tennessee requires written or electronic notification of victims within 45 days after discovery of a breach, Oregon law excuses an organization from direct notification if the breach affects more than 250,000 individuals. Unlike the national healthcare privacy standards set by the Health Insurance Portability and Accountability Act (HIPAA), there is no federal law governing data breach notification for the financial industry. These inconsistencies have led privacy experts and regulators to renew calls for a federal standard on data breach notification. While the financial industry has been lobbying for a reduction in consumer protection rules and elimination of watchdog agencies such as the CFPB, a recent Chicago Tribune article speculated, “That balance is likely to tip in favor of the regulators in coming weeks and months,” as a result of this breach.
The Equifax breach seems to have convinced consumers that data breaches are the new reality, and many are taking steps to protect themselves. For example, the Los Angeles Times reports that enrollments in Lifelock’s credit monitoring service are up 10x since the Equifax announcement. (The article also notes that those enrollees might be less than pleased to know that Lifelock’s monitoring service is provided by Equifax.)
With 143 million records to choose from, the hackers behind the Equifax breach will be able to mine the information for years for identity theft, social engineering attacks, and other misdeeds. In the wake of this privacy disaster, regulations and penalties may change. (A ZDnet article pointed out that if Equifax were subject to the EU’s GDPR regulations, based on 2016 revenues, this breach would have triggered a $124 million fine.) Additionally, the U.S. may finally move away from using Social Security numbers as personal identifiers—a use for which they were never intended—and the American economy will find out over time the impact of potentially hundreds of millions of consumers freezing their credit records.
If there is any positive to be found in all of this, it could be that business leaders will finally place privacy and information security front and center in their risk management priorities. David Hickton, a former US attorney and director of the cyberlaw institute at the University of Pittsburgh, told the Houston Chronicle that as a result of this breach, “Boards are now feeling the pressure and responsibility to make sure this stuff doesn’t happen.” Let us hope that proves true.