Lessons learned from Equifax
By Laura Haight
Everyone, breathe a big, deep sigh of relief. The shoe has dropped: You no longer have to worry about identity left. Why? Because it's a pretty safe bet that your Social Security Number (SSN) and other personal information is out of the barn and running naked through the pastures of the dark web.
First, don't panic. Second, don't think this means you can go back to 'mydog2017' as your password.
I was planning this column based on the Equifax breach that affected 145.5 million people. And then Yahoo! slipped a tidbit into a busy news day, admitting that its 2013 breach exposed the personal information of all three billion of its customers.
That’s just the most recent brick in the wall. Through just a handful of government hacks, more than 240 million Americans had their SSNs exposed. They included: The IRS breaches of 2015, 2016 and 2017, which all together exposed 1.14 million SSNs; the breach of the US Office of Personnel Management, which has the personal information and background check data for every individual who has ever worked for the government or applied for a government job, exposed a whopping 21.5 million; a 2015 hack of voter data across the US, that was another 191 million. And, way back in 2006, 26.5 million veterans had their personal information exposed in a breach of the VA.
And that's not even all of the government breaches. We haven't even touched on the three SC breaches. Nor the many, many commercial breaches from Target and Home Depot to Anthem Health Care, Bon Secours, and Sony, to name just a few. (See all data breaches in perspective). Nonetheless, this is no time for melancholy. Even though Equifax is a huge corporation that doesn't mean that there aren't takeaways for every business, agency, or nonprofit.
The Equifax breach was the result of one IT staffer who did not do what he was supposed to, according to the congressional testimony of former CEO Richard F. Smith last week. Well, that's an easy scapegoat, but no employee goes unmanaged. Lesson #1: Verify. Simple. Unmonitored standards degrade over time because employees may often determine that no one seems to care and, thus, this process isn't that critical. It may get done eventually, but as Equifax learned it may take as little as a week to go from secure to hacked.
Over-reliance on technology seems to give businesses a false sense of security. Hacking, cracking, cybercrime, is a business problem. A major one. And technology alone will not fix it.
According to published reports, the Equifax intrusion detection system failed to recognize that there had been a breach. I am going to make an assumption that Equifax has a large technology infrastructure, expensive hardware and software systems dedicated to security, and a pretty robust staffing level. Lesson #2: Technology alone will not be enough. Protecting yourself and, more importantly, your clients from data exposure will depend on a three-pronged approach of hardware, software, and humanware. Don't spend all your security money on systems; save some for training, and an independent resource/process review.
How long was a hacker bleeding information out of Equifax's systems? Nearly three months. That was followed by a full five weeks before Equifax acknowledged the hack. Lesson #3: Things get worse the longer they go on. It is possible to lock the barn door while you still have a few horses left. But for that to happen, employees have to believe they won't be summarily canned for blowing themselves in. It's easy to make a mistake and hard to admit it. Encouraging employees to brutal honesty while dangling a get-out-of-jail-free card is an important step to stopping hacks quickly – while they can be controlled.
Stop asking for things you don't need. I'm talking to you, medical practices. Several times in the past few months, I have had to fill out paperwork that asked for my SSN. I refuse to write it on the form, and offer instead to hand a post-it to the receptionist and wait while they enter it, returning the post-it to me. Usually they say they don't really need it. Lesson #4: Then don't collect it. Once you have it, you have a legal responsibility to protect it, and a significant liability if you don't.
There may be one good thing to come out of the Equifax situation. The White House and Congress have just started to kick around the idea of changing our primary identification method. The newly minted idea has many challenges and affects every aspect of American life, so don't expect a quick solution. But it is something to watch for and stay on top of. We should push for smart changes to this system and stay on top of elected officials to ensure solutions to protect us do not invade our privacy in the process.