Slideshow Data: Equifax should have known better

  • September 12 2017, 12:07pm EDT

The Equifax data breach is likely to have permanent repercussions not just for the company, but for any business that relies on credit scoring.

While scant details have been released about the specific nature of the incident, given the breadth and depth of the attack — affecting nearly half of all U.S. consumers and capturing full and irreplaceable personal data — the cost and impact of this breach could well cause radical shifts in the way that personally identifiable information (PII) is stored and used.

Hackers follow the money

Since 2010, the ID Theft Resource Center has been tracking breaches involving Social Security numbers (SSNs) and card data. The numbers tell a compelling story — while data breaches involving card data have represented 13% to 26% of attacks between 2010 and 2016, breaches involving SSNs have represented 42% to 62% of attacks per year over the same period.

Exposure of SSNs grew 8.2% in 2016 over 2015, while card data exposure dropped by 7.4%. Fraudsters have not been changing their modus operandi overnight; read on to see how even a cursory assessment of the data demonstrates where their emphasis lies.

Content Continues Below

The reaction to major data breaches — including the Heartland data breach of 2008 and the Target data breach of 2013 — has always been to protect card data. But the non-card data that Equifax handled deserved just as much attention, if not more.

The reason for this is obvious — the value of PII is way higher than easily replaceable information such as credit and debit card numbers. A full set of PII is, for fraudsters, the gift that keeps on giving — a means of opening fake accounts for months or years.

It is unfathomable that the payments industry would have allowed the brokerage of card data, so why is this possible with far more dangerous PII? Why hasn’t the market addressed this given the potential for disaster that has predictably just occurred?

According to Bruce Schneier, renowned security expert, the problem lies with the industry of data brokerage overall. He points out that Equifax may be one of the largest, but there are 2,500 to 4,000 other data brokers that are are collecting, storing and selling information about you. “In case you didn’t notice, you’re not Equifax’s customer. You’re its product.” he tells CNN.

This is a fundamental issue. You can’t be both a protector and distributor of data since these are conflicting interests, especially in a competitive market.

Attacking the bottom line

The Equifax breach, at the most basic level, will cost the company billions of dollars. According to the 2017 Cost of Data Breach Study by Ponemon Institute, data breaches are most expensive in the United States and Canada. The average per capita cost of a data breach was $225 in the United States and $190 in Canada.

However, breach costs vary by vertical. The average global cost of data breach per lost or stolen record was $141. But health care organizations had an average cost of $380 and in financial services the average cost was $245, primarily due to the extra regulatory costs.

Taking the per-capita cost of $245 for a financial services data breach, and the number of affected consumers — up to 143 million — this would bring the cost of this incident to over $35 billion.

For context, this is double the current market cap for Equifax.

However, this may be the tip of the iceberg for not just Equifax but the entire financial services industry, and even other sectors.

At the very least, Equifax can expect a swath of litigation and technology investment to respond to its breach. But this could be the least of its problems. The credentials that most organizations use for account opening are now barely relevant for half of the U.S. population.

Content Continues Below

Bigger than one company

“The credentials stolen can be used to attack and to manipulate so many different types of accounts (financial, telco, utilities, etc.), says Joram Borenstein, vice president of marketing and partners at NICE Actimize. “This means that the implications of this attack go far beyond the financial services world.”

It is also entirely possible that this was not just a run-of-the-mill data breach with the aim of identity theft, but something altogether more nefarious, such as a state sponsored act designed to introduce instability to the backbone of the U.S. lending system.

It may not be the information taken out that is the biggest problem, but potentially what was put in.

According to Equifax, hackers “exploited a U.S. website application vulnerability to gain access to certain files.” That means intruders could easily inject malware into web servers, possibly without being detected, and use it to steal or delete sensitive data.

It may also mean that potentially tens of thousands of fake identities could have been injected into the Equifax data, poisoning the validity of the FICO score system overall. This could be a short-term worst case scenario for the financial industry.

Much of this is hypothetical at this time, since very little information has been made public. But, like the Heartland and Target data breaches bolstered defences for card data in the U.S, the Equifax breach could be the long needed wake-up call required by the financial services industry to end its reliance on static PII in favor of something far less valuable to compromise.