One year ago today, Equifax suffered what remains one of the largest and most impactful data breaches in U.S. history. Last September, it was revealed that the personal information of 145 million Americans, almost 700,000 UK citizens, and 19,000 Canadians was stolen by cybercriminals.
This information included names, addresses, birthdays, Social Security numbers, and—in some cases—driver’s licenses. All critical, personally identifiable information (PII) that can resold in the underground and used to commit identity fraud.
This breach had very real impact on the millions affected. On Equifax? Or the industry as a whole? Not so much…
The result is that your personal information remains “entrusted” with various agencies without your knowledge. Agencies that may or may not have your best interests at heart. A year after the Equifax breach, your data has never been at greater risk. Why?
The Equifax breach made international headlines for weeks. It’s a story that has corporate intrigue, political uproar, and controversy…yet nothing really has changed.
Cybercriminals gained access to Equifax’s systems through a known vulnerability in Apache Struts (a web application framework). This easily exploited vulnerability has been left unpatched and unmitigated by Equifax for weeks.
When Equifax discovered the breach, they waited weeks to notify affected individuals and the general public. That notification came in the form of an insecure site on a new domain name. This contributed to the criticism the company faced as they bumbled the response.
The saga took a number of twists and unexpected turns as executives were accused of insider trading, having sold shared valued at $1.8 million dollars after the breach was discovered but before the public announcement. The CIO and CISO stepped down in the wake of the breach. As the company continued to see pushback, political and consumer frustration, the CEO eventually resigned allowing the company to try and turn the page.
After all, Equifax had the tools, people, and process in place to prevent the breach but simply dropped the ball…with catastrophic results.
One of the biggest challenges in light of this breach was the relationship that Equifax had with the affected individuals. Equifax maintained a significant amount of personally identifiable information on hundreds of millions of individuals in the US and around the world yet very few of these individuals had a direct relationship with the company.
Equifax and a handful of other consumer credit reporting agencies make their money by selling customer profiles and credit ratings to other business, essentially acting as massive reputation clearing houses.
Given the role played by these agencies, individuals in the US have alarmingly few actions they can take in recourse to an error or breach of their information in care of such an agency. This was a key point raised in the uproar after the Equifax breach.
One year later, let’s check in on the progress made so far…
Lack of Personal Data Protections
Alarmingly, there has been no federal action and only one state has passed legislation regarding personal data protections since the Equifax breach.
In June, California passed the California Consumer Privacy Act of 2018 (AB 375). This landmark legislation takes a much needed step towards personal data protections in the state of California. While not the driving factor for the legislation, the breach contributed to awareness of the need for such protections.
This protects Californian’s in a similar manner to European’s under GDPR. If either piece of legislation was in effect during the Equifax breach, the company would have been looking at major fines.
Despite the initial uproar, very little has happened in wake of the Equifax breach. The creation of strict regulation in the EU had been underway for years. The initiative in California had already been underway when this breach happened.
Despite the outrage, very little came of the breach outside of Equifax itself. They brought in new leadership and have tried to shift the security culture, both solid steps. The consent letter signed will help ensure that Equifax continues to build a strong security culture but it doesn’t impact any of the other agencies.
Is this the future? As more and more companies move to monetize data and customer behaviours, a lack of political will and a lack of consumer pressure means that YOUR data remains at risk.
Regulation is always challenging but it’s clear that the market isn’t providing a solution as few of the affected individuals have a relationship with the companies holding the data. Your personal information is just that…yours and very personal.
Individuals need the ability to hold organizations that put that information at risk accountable.