Can the US Prevent Another Mega-Breach Like Equifax?
Can the Damage From the Equifax Breach Be Minimized?
Cyberattacks are again generating headlines and global paranoia after Equifax, a major credit-reporting agency, announced the “hack heard around the world” earlier this month.
The July 29 mega-breach affected 143 million customers, from whom hackers obtained a trove of personal data including names, birth dates, and Social Security and credit card numbers.
More than 30 lawsuits have already been filed against the company, at least 25 in federal courts. Just days after the disclosure of the breach, Equifax’s stock value and reputation nosedived.
Suspiciously, a trio of prescient senior executives sold $1.8 million worth of shares just three days after the company reportedly discovered the breach — and a whole month before Equifax announced the news to the public.
Then on Thursday, the agency made an embarrassing move: In an attempt to help customers determine whether their data had been stolen, they inadvertently sent them to a fake phishing site masquerading as their own.
The Equifax breach, while historic in size, is no anomaly: hackers procured four billion data records last year. Described as the “oil spills of the digital economy,” data breaches are notoriously difficult to deter and contain — due in equal parts to flimsy regulations and lax security practices.
In the US, private businesses bear the brunt of cyberattack damage control and prevention, even though many are woefully unprepared.
Internal incidents account for 43% of data losses in the country, according to a 2015 report. The tech giant IBM reports that, of the nine billion records compromised in the last four years, only 4% were encrypted. In many cases, heightened internal oversight could have protected a myriad of usernames and passwords.
In July, IBM unveiled a new mainframe that, equipped with a proprietary processing hardware, can encrypt up to 12 billion transactions a day, locking in unthinkable amounts of sensitive records in applications, local databases and cloud services.
Technological innovations may curb assaults against individual firms, but boosting market-wide data security will require greater federal oversight and a redesign of current user identification methods.
The European Union, for example, will impose a three-day window for breach notification starting next May; failure to meet the requirement incurs a penalty of 10 million euros. Similar but less stringent legislation in the US can propel organizations to adopt stronger safeguards against breaches by shifting accountability from consumers to executives.
One such safeguard is providing more secure encryption of Social Security numbers (SSNs), the key that unlocks a cache of personal information. The number of breaches involving stolen SSNs is increasing at an alarming rate, yet it remains the most widely used personal authorization mechanism by credit-reporting agencies.
So how can affected Equifax customers insulate themselves against credit risk? Cyber experts say that the first step is to monitor credit activity by either requesting a report or setting up activity alerts. Then freeze your account to ensure that hackers do not open new lines of credit under your SSN. You can do so by calling one of the big three credit-reporting agencies — Equifax (1-800-349-9960), Experian (1‑888‑397‑3742) or TransUnion (1-888-909-8872).
Watch the video below to learn more about how to minimize damage caused by these mega-breaches.
Related front page panorama photo credit: Adapted by WhoWhatWhy from digital art (University of Salford Press Office / Flickr – CC BY 2.0).