The recent Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States. Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals. According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files. In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.
More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public. One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation. To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach. While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.
Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach. The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why. A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact. The company has until September 28 to answer the questions outlined in the Committee’s letter.
The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens. Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;
the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.
It is important to underscore that these millions of individuals did not carelessly protect or handle their own data. Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence. Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required. Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.
Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.” This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised. In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups. The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens. Such actions are not only negligent but border on criminal in their own right.
The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people. Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices. U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.
While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics. This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario. What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology. That seems a call that both sides of the aisle should be able to get behind.
This is a guest post written by Emilio Iasiello.