If recent hacking attacks such as the one at Equifax, which compromised personal data for about half of all Americans, have taught us anything, it’s that data breaches are a part of life. It’s time to plan for what happens after our data is stolen, according to Rahul Telang, professor of information systems at Carnegie Mellon University.
Companies are prone to understating the scale of hacks, which suggests that there needs to be better standards for disclosing breaches. Yahoo recently confessed that its data breach actually impacted 3 billion user accounts, three times what it disclosed in December. Equifax also boosted the number of people it says were affected by its hack.
The data stolen at Equifax was highly harmful for consumers, compounded by what Telang says was an incompetent response from the company. Equifax first disclosed its data breach on Sept. 7 and says it discovered the unauthorized access on July 29. The firm, which collects data on 820 million consumers and more than 91 million businesses worldwide, said it was concerned about “copycats” breaking into its systems, an excuse disputed by experts, according to the Financial Times (paywall).
As Telang sees it, a determined hacker is probably going to succeed, yet there’s far too little focus on limiting the damage. Credit freezes could be automatic, and wherever possible data could be aggregated to protect individual identities and private information. The types of fraud-protection services that Equifax sells to customers could be made available to victims as a default.
Government intervention may be necessary, as consumers are vulnerable to the credit raters’ mistakes but have little choice but to accept their role in finance. Consumers aren’t really customers for Equifax—the company makes money from banks and credit card companies that buy data from it.
US senator Elizabeth Warren has said she wants to see the consumer credit rating industry—which is more lightly regulated than banks and credit card companies—completely overhauled. “The incentives in this industry are completely out of whack,” Warren said at a hearing. Equifax “could actually come out ahead.”
Government intervention may also be needed because companies like Equifax, Experian, and TransUnion aren’t in a particularly competitive industry. They benefit from what economists call “network effects,” meaning the bigger they become, the more financial firms are willing to share data with them, making their services more attractive to buy, according to Telang.
Even vaunted financial technology startups are unlikely to shake up the sector. While newer firms may have better machine-learning technologies or make use of alternative data sources to enhance their algorithms, Telang says their techniques can be copied, and Equifax probably has more data than they do anyway.
“This market has a propensity to consolidate around a few large firms,” he says. “One firm having a lot of data can produce more insight than lots of firms that have less data.”
And when valuable data is collected by a few firms, it makes them all the more attractive targets for hackers.
AFJay on October 10th, 2017 at 13:56 UTC »
I don't understand why a 10 digit number and a few publicly available facts identify a person. What we need are IDs with PKI. Your records are signed by your private key or it wasn't you. If you lose your ID you report it lost and any records not singed with your current private key aren't you.
mr_snarkyshoes on October 10th, 2017 at 13:47 UTC »
I think this is especially so when it comes to identity theft. Knowing someone's SSN and mother's maiden name should not be enough to impersonate them for legal/financial matters. We should assume all that information is out in the open.
If we're going to have this big inescapable information network that contains all your personal information, then there should be a set of standards and procedures for establishing your identity in a secure way.
the_hoser on October 10th, 2017 at 12:34 UTC »
It all starts with a simple question that so many people refuse to answer: "What happens when this gets compromised?"
So many people aren't equipped to even think like this. There's this mentality of trust going around that is seriously unhealthy. Even in the information security industry, it's much easier to sell prevention than it is to sell damage control. We need to stop coddling these businesses and customers into a false sense of security.
To get back to the question: What happens when this gets compromised? Simply answering this question honestly puts you in a better situation, security-wise. Maybe you don't use the same password for everything. Maybe you only put the data that actually needs to be there on the service. Maybe you decide that the service isn't as important as you thought it was.
The thinking is simple. Instead of trying to figure out which devices and services you can trust to remain secure, just assume the worst, and trust that they are probably not secure. What info would you share if this were the way you thought about these things?