Equifax blew it, though theirs is hardly the first hack. Personal data isn’t safe, and that should make us skeptical of centralized databases of personal information regardless of who collects it. Indeed, the entire system of using social security numbers as personal identifiers has been broken.
We’re stuck dealing with the consequences, and while the average consumer maybe should get a credit freeze I’m not going to, it’s a pain and slows down the credit origination process and not all issuers will follow up manually to get permission to access your credit. At this point I’m just going to aggressively monitor my accounts.
Although if enough people freeze their credit the credit industry is going to have to learn to accommodate, initially it’s going to be a big problem for store credit cards that are mostly set up at point of sale (you go to a retail merchant and are offered a discount on the day’s purchases for getting their credit card on the stop).
I am actually comforted by the scale at which this theft occurred. Since it looks like my data was included in the breach, I’m better off that there were 9 figures worth of accounts rather than say four figures.
- While I hate the idea of the kind of personal information being freely available that would allow someone to social engineer access to my accounts, enough correct details to convince a bank to reset my password or make a wire transfer, that sort of attack is manual and time-consuming and not the sort of thing that will be done across 100,000,000 customers. So safety comes in the form of security by obscurity, sure I can be hacked but the odds that I’ll be one of the ones hacked are pretty low.
- A consumer that’s a victim of a small data breach bears the cost of resolving ensuing credit issues. This one is so big that lenders, banks, and others will expect it and will have to develop better procedures for resolving fraud. Indeed, doing so could become a competitive differentiator, given the number of customers that would otherwise be disserviced.
It shouldn’t be our problem to stay on top of things, it should be Equifax’s. Ultimately Equifax will pay. A lot. But like most class action settlements which is probably how this will end individual consumers will get very little but the liability risks the company.
Meanwhile there’s going to be a tremendous amount of government scrutiny over the industry, certainly TransUnion and Experian are shaking their heads at the new very public challenges they face ‘through no fault of their own’ though the idea that they couldn’t have been hacked is silly.
At the same time regulation isn’t the answer. It’s easy to say “but there should be security standards” however there already are security standards and Equifax didn’t follow them. Data was encrypted but the encryption keys were on the same server vulnerable to the same hack. And the penetration occurred via a known vulnerability that Equifax apparently had failed to patch.
Meanwhile government isn’t better at this than the private sector. The United States Office of Personnel Management had an ongoing breach for over a year from March 2014 through April 15. The initially estimated data was stolen on four million federal workers but it turns out the number was over 20 million. And it didn’t just include names, addresses, dates and places of birth and social security numbers but even detailed security-clearance-related background information.
The OPM hack and the Equifax hack should give real pause regarding government data collection. Big databases are big targets, and government gets hacked just like the private sector does.
Contra Bruce Schneier who points out that Equifax’s customers are companies who want data on consumers, not the consumers so Equifax doesn’t have an incentive to protect consumers who aren’t customers, the incentive is that their business can be destroyed by tort liability. Government doesn’t face the same consequences as a private company, indeed government failure is usually met by calls for increases in budgets rather than bankruptcy risk.
There are no easy answers here because over the long term what we need is a replacement for social security numbers as national identifiers, but any centralized solution carries risk, need I mention that we just learned about vulnerabiltiies in Estonia’s ID cards and they’re perhaps the most advanced in the world? For now all we can really do is stay on top of things.