Equifax : Disturbing Developments

Credit-rating company Equifax’s data breach, which involves an estimated 143 million people, may not be the largest that we have seen, after all Yahoo lost billions of emails in a series of data breaches, most of them brought out to the public much later. Given the nature of data at play here, this is clearly becoming the most deadly of all data breaches – like tropical storm IRMA. The feared IRMA is on its way to touch Florida (pray for the safety of all living in Florida), but the Equifax data breach storm has the potential to affect large set of Americans to become the worst ever data breach. The sensitivity and the direct information access makes the big difference between the two. Yahoo email’s could have exposed some back account information or some personal information and the hacker must be scanning so wide to find relevance that can be good enough for him/her to benefit from, An occasional back account, credit card information might have been exposed. The odds are stacked against given the volume of information to sift and find the useful ones. But Equifax is a different ball game altogether. Equifax is one of the three biggest credit-reporting companies in the U.S. and incidentally the breach is reported to have occurred occurred mid-May through July 2017 ,even though the public got to know about this on Sep 7, 2017

According to Equifax, the information that were accessed includes: Names Social Security numbers Birth dates Addresses In some instances, driver’s license numbers. In addition, credit card numbers for north of 200,000 U.S. consumers Certain dispute documents with personal identifying information for north of 180,000 U.S. consumers

Come to think of it, this is precisely the information US residents share with a bank to get credit cards, get certain types of jobs, or get a mortgage. This is important information, and a seem to have affected a wide number of Americans. The class-action lawsuits are already being filed less than 24 hours after the information became public.

Equifax’ s response so far has been so pathetic and uncaring, to say the least. To start with, Equifax did not share news of the breach for several weeks, since it began investigating this breach. Second, three top executives sold stocks between the time Equifax knew about this and the time they shared the news with Public. Public sources reveal chief financial officer John Gamble sold $946,374 worth of stock, president of U.S. information solutions Joseph Loughran sold $584,099 worth of stock, and Rodolfo Ploder, president of workforce solutions, sold $250,458. It may be the case that these gentlemen were not aware when they sold, (looks difficult to believe though, as the CFO and the IT head were not aware of data breach of this magnitude happening but as key executives inside Equifax they could not find out what the matter was!)but clearly Equifax is defensive based on popular perception on this ground. Equifax has since set up a web page with information and a way to enroll in “complimentary identity theft protection and credit file monitoring services and how to find out if your personal information may have been impacted.” The site requires you to enter your last name and the last six digits of your social security number, and Equifax won’t tell you right away if you’ve been impacted but the site promises to let you know when you can enroll in the company’s “TrustedID Premier” program” and tells you to “mark your calendar” to check back. And some security experts were concerned about the basic setup of the site and that even there, new set of data breaches can happen. Many trade sources complained that “Customer service agents contacted by phone on the emergency telephone line said they couldn’t provide further clarity on the matter.” And the people fielding those calls were telling callers that they don’t have access to the database of those affected.

What to do next

The options in front of the affected person are indeed very limited. There’s the standard advice after a data breach: Change passwords if you reuse the same one , turn on two-factor authentication when possible, and watch for any suspicious links or emails from Equifax or others. Some suggested freezing the credit score, so that external players cannot access such information till this is waived. You can also turn to the other big two credit-reporting agencies in the U.S., Experian and TransUnion, and make sure there haven’t been any recent inquiries made into your credit history. Equifax is giving away a free year of credit monitoring and identity-theft insurance, which everyone is highly encouraged to take advantage of.

On an ongoing basis, ensure that one spends the time keeping a closer eye on credit-card statements – the newly issued cards may be more exposed. Don’t leave any financial statement archive without your express approval. .At the end of it, it is clear that a tremendous amount of data is now floating out there with someone not authorized to hold them – either in the hands of criminals or a nation-state. Your Social Security number will never change, your past addresses will always be your past addresses. The effects of the Equifax breach will be felt for years to come. Beware of phishing mails which are clickbaits to draw one into rogue schemes and keep your machines remain state of the art and all patches applied. One of the things I find disturbing about this data breach is that there is essentially nothing any of us could have done to protect ourselves. We’re told to have strong passwords, avoid risk sites and apps and use security software but that only protects our devices, not data stored by others. And, in the case of Equifax and other credit reporting bureaus, it’s not as if we’ve even chosen to do business with these companies. They collect and store sensitive data about us whether we like it or not and I’m even sure if there is a way to opt-out.Increasingly, companies are supposed to safeguard this information, but they’re subject to hacks, human error and even deliberate breaches from within. Medicare even puts recipients social security number on their card, which they usually care in their wallet so if their wallet is stolen, their identify is at risk. Medicare plans to change this next year, but in the meantime millions of people over 62 are vulnerable. We need to figure out a way to disempower the use of the social security number to steal our identities. I’m not sure how that can be done, but I’m pretty sure it’s doable.

Some hacker is reportedly trying to take advantage of this development. I also demand a national center of cyber breaks and all enterprises should have an annual checkup of their enterprises and would act as the clearinghouse for providing national relief. Hope America comes out of this unscathed.

(Cross-posted @ Sadagopan's weblog on Emerging Technologies,Thoughts, Ideas,Trends and The Flat World)

LinkedIn Twitter
Global Vice President & Business Leader - Digital Experience & Marketing, Collaboration, Content and Social lines of business for HCL Technologies. He has led international teams and initiatives for large enterprises and leveraging digital technologies to create change, focused on enabling new client experiences, creating new customer markets, & fragmenting markets to destroy existing value chains, by working with clients to shift value within and across industries, change the nature of industry control points, & redefine how work is done.