In a shockingly understated comment on what is probably the largest data breach in history, Equifax CEO Richard Smith said: “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes."
Piling insult on injury, Equifax is now in the midst of a PR disaster as the company is only divulging whether a person’s PII has been breached by asking them to divulge their PII, enrolling in Equifax’s Trusted ID Premier service and incredibly, waiving the ability to bring or participate in a “class action, class arbitration or other representative action.” This may be very wishful thinking on behalf of Equifax — a proposed class action was filed last night over a breach that affects up to 143 million U.S. consumers.
But it's not just Equifax that needs to worry. The incident can and should be a turning point for the financial services industry, a warning that it needs to end its reliance on static personal identifiers like Social Security numbers and birth dates.
A history of fraudulence
For too long, consumers have been told to guard their personal information as if they were the ones in control of it. Ahead of the Target data breach of November 2014, consumers with crystal balls could have avoided shopping at the store, but it's a nigh impossible task for any banked consumer to hide from the three major credit bureaus.
And the size and frequency of data breaches has accelerated to a point where it could be argued that consumers see this as the new normal. Even so, the Equifax breach may be so significant in scale and reach — affecting up to 44% of the U.S. population — that it does actually precipitate a change in the way that PII is protected and stored.
“The public certainly has breach fatigue, but the size of this one will resonate, along with the fact that it involves people’s full identities,” said Julie Conroy, research director at Aite Group. “It’s a lot more challenging and painful for consumers to unwind the resulting identity theft-related fraud than a breach just involving payment card data like Target or Home Depot.”
This incident may move the needle from passive to active identity management, according to a senior bank executive who requested to remain anonymous.
“Today’s identity management infrastructure is passive, identity checks or identity updates happen in the background," the executive said. "We need to reverse that. Every time some provider wants to add to your identity data/change it, you need to be notified and can agree or not agree with the change. App ecosystems are doing this, why not credit bureaus?”
Opting in to a better future
The app ecosystem has learned the hard way that older identity verification methods don't translate well to the modern world. Apple was a pioneer in the app economy and suffered the consequences — including a $32 million settlement with the FTC — over lax authentication policies for in-app purchases. The company went on to make fingerprint authentication and tokenization a standard of mobile payments.
Outside of the mobile environment, there is a similar need for technology to catch up with reality.
“Hopefully this builds momentum behind better means of authentication — passive methods (e.g., device ID, geolocation, behavior metrics), dynamic knowledge-based authentication, mobile imaging of IDs (which can detect embedded holograms), and biometrics,” said Dan Van Dyke, senior analyst at BI Intelligence. “Static identifiers are now undeniably dead.”
It has been noted that the backbone of the credit card industry in the U.S. has been in place since the 1960s and has almost certainly not kept up to speed with the digital world of today.
“The whole system relies on static information held by old, stale companies,” said Kaz Nejatian, CEO of the alternative payments network Kash. "Anyone who deals with fraud can tell you that this system is totally broken. This latest hack, hopefully, will force everyone to take a long, hard look at the technology foundations for banking"
However, there may not be a way to abruptly change the way the financial services industry handles identity verification and other uses of PII, even if efforts start today.
“Changing the paradigm around identity is more of an evolutionary path than a revolutionary one, since there are so many interconnected dependencies, especially in highly regulated environments that rely on PII,” Conroy said.
Watching the watchers
A breach of this magnitude is also shining a renewed regulatory spotlight on credit reporting firms.
In his statement of last night, Sen. Mark Warner, D-Va., who heads the bipartisan Senate Cybersecurity Caucus, went on to say that the Equifax breach “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”
Indeed, this may be a failing of government as much as it is a failing of the financial services industry.
“How regulators have allowed this situation to persist for this long is utterly baffling," said Scott Crawford, research director at 451 Research. "At a time when many enterprises are scrambling to become compliant with more stringent data protection requirements outside the U.S. such as GDPR, the U.S. seems positively backward in its approach — embarrassingly so when it comes to the PII handled by credit reporting firms.”
This particular breach could have even further-reaching consequences, not just in the exposure data released, but in the data that may have been put in. In a nightmare scenario for the credit scoring industry, this could undermine the validity of FICO.
“I am really way more worried about the new data hackers created than the stuff they took out,” Nejatian said. “Imagine them creating 10,000 people out of thin air, all with perfect FICOs and all of them now applying for loans on these online, no-branch shops.”