After the breach: Staying safe in a world awash in purloined information
As news of the Equifax breach coursed through newspapers and cable networks in September, credit expert John Ulzheimer tried to write down every place that had access to his personal and payment information.
The list stretched into decades of job applications, travel records, tax returns and loans. He gave up trying to remember them all after about a half hour.
The exercise was a testament to a near-inescapable reality that has only grown worse in the internet age: Lots of people already may have your personal information — or, in the case of a business owner, information that could allow criminals to impersonate potential clients and vendors.
The information usually sits undisturbed, safely out of the hands of criminals. But as the Equifax breach has shown, virtually no company is 100 percent hack-proof. That fact, according to some cybersecurity experts, means consumers and businesses need to move away from assuming their information is secure to assuming that criminals already have it.
Instead of focusing only on data protection, businesses also must make sure to verify the identities of customers, vendors and others; watch their bank accounts for fraud; and exercise caution about the kinds of information they offer about themselves online.
“There is no delete button. You can’t just pull all that information out of the cybersphere,” said Ulzheimer, a former employee of Equifax and credit scoring agency FICO. He is now president of Georgia-based consulting firm The Ulzheimer Group. “Really where we are in kind of the chronology of events is we have to think more about protecting ourselves than not making our information public.”
When your data isn't yours
The Equifax breach has served for some consumer advocates as a cold splash of water to the face, reminding them just how vulnerable a business can be to a hack, and how devastating the results can be when that business deals in personal data.
A group of hackers — no one is yet sure who— broke into the credit rating agency’s systems between May and July of this year, accessing information like Social Security numbers, birth dates and addresses belonging to more than 143 million people, or just under half the U.S. population. They also potentially grabbed a small number of driver’s license numbers and credit card information.
The breach was far from the first one to compromise consumers’ personal information. A litany of other companies — including Home Depot, Target, Sonic Drive-In, Visa and MasterCard, just to name a few — as well as government agencies like the U.S. Securities and Exchange Commission have reported smaller breaches in recent years.
The Equifax hack also was not the largest breach ever — that record belongs to a 2013 breach at Yahoo that compromised birthdays, passwords, security question answers and other data associated with all 3 billion Yahoo email accounts that existed at the time.
So in a world where so much information is already compromised, what makes the Equifax breach so significant?
The answer has less to do with the type of information compromised than it does with the volume, said Andrew Hacker, cybersecurity expert in residence for Harrisburg University of Science and Technology.
People buying hacked information on the black market can only do so much with a single Social Security number or credit card number, Hacker said. But when that information is packaged with information like birth dates and past addresses, it is a lot easier for criminals.
That’s exactly what happened with the Equifax breach. Adding to the damage is the fact that the information compromised is not the sort that people can easily change — credit cards can be canceled, but Social Security numbers and past addresses are usually forever.
Despite the severity of the Equifax hack, the reality of personal data no longer being personal is not really a new one, Hacker said. Even the head of the Internal Revenue Service has said he does not expect to see an increase in fraudulent tax returns this year because criminals already had access to much of the data compromised in the Equifax breach.
Adding to the issue is the fact that the amount of personal information people broadcast about themselves is growing exponentially. People readily offer up their addresses and phone numbers for all kinds of online services, not knowing which one might be the next to be breached. Smartphones collect not just personal information but also GPS coordinates. And as the “internet of things” — smart-home devices like Wi-Fi-connected TVs, appliances and even children’s toys — grows, so does the potential for people to harvest that data and use it for nefarious purposes.
“Definitely the landscape is getting more complex out there, and complexity is definitely the enemy of cybersecurity,” Hacker said. “The cybersecurity industry has to keep up with those technologies, stay ahead of the curve. The consequences are getting higher and higher.”
Responding to a breach
Data breaches not only harm individuals but also the companies that find themselves the victims of cybercrime. Just ask Equifax.
Multiple states, financial institutions and other parties have filed lawsuits against the company in the wake of the breach. The company’s reputation has taken a massive hit, and several of its top executives have stepped down.
One thing that sets Equifax apart from other businesses is the fact that it may not have to worry about losing customers. Businesses, not the consumers who had their information compromised, are Equifax’s main clientele. Consumer information is the commodity that Equifax sells. While the hack will likely mean that companies need to more carefully vet potential customers and vendors, and could be more susceptible to fraud as a result, it’s unlikely that many will stop using Equifax’s services, Ulzheimer said.
Companies can work with other credit reporting agencies like TransUnion or Experian and could theoretically cut their ties with Equifax. Ulzheimer, however, believes companies need to weigh whether a data breach offers enough of a reason to stop doing business with someone.
“If that’s your measuring stick — anyone who’s breached we don’t do business with anymore — you’re severely limiting your reach because pretty much anyone can be breached,” Ulzheimer said.
While state and federal law dictates some of the steps companies must take after a data breach, they generally have significant discretion in how they interact with affected consumers.
Consumers and lawmakers quickly criticized Equifax when news of the breach broke in September, not just because the company failed to protect its massive collection of personal information but also because it waited nearly five weeks after the hack’s discovery to inform the public. Equifax then subjected consumers to fees and forced-arbitration agreements if they signed up to freeze their credit to protect themselves from fraud. The company eventually waived those fees and changed the agreements after facing public backlash.
Federal law does not require most companies to inform consumers about data breaches, nor does it mandate that they offer any sort of protection if one occurs. Exceptions exist only for breaches involving certain types of health care information, and certain types of personal information stolen from publicly traded companies.
Several Democratic lawmakers in Congress have proposed federal legislation that would enhance reporting requirements and increase availability of free credit freezes in the wake of a breach, but those proposals face uncertain futures without Republican co-sponsors.
That means the onus remains on states.
Most states, including Pennsylvania, have their own laws governing how companies need to inform their customers if their personal information ends up in the hands of criminals. Pennsylvania’s current regulations, though, are relatively vague, only requiring businesses with specific types of compromised information to report leaks “without unreasonable delay.”
Pennsylvania House Commerce Committee Chairman Brian Ellis (R-Butler) proposed a bill in October that would require companies and other entities to notify customers of breaches within 30 days of their occurrence, in addition to sending a notice to the state attorney general’s office. Companies would also have to develop policies to prevent future breaches.
Another bill, proposed by Rep. Mike Driscoll, (D-Philadelphia), would require credit reporting agencies like Equifax to waive fees it normally charges to consumers for credit freezes if a breach occurs.
Neither Driscoll nor Ellis’s bills had progressed beyond the House as of late October.
Regardless of legislation, consumers need to continue looking out for themselves as more of their personal information inevitably leaks into the hands of people who might misuse it, Hacker said. That means signing up for credit freezes, enrolling in credit monitoring services and just generally being aware of the sheer quantity of personal information already potentially floating around the web.
Questions to ask after Equifax
The Pennsylvania Department of Banking and Securities is urging leaders in all industries to ask themselves the following questions in order to keep their clients’ information safe in the wake of the Equifax breach:
- Does our business require the use of multifactor authentication for accessing sensitive data?
- How does our business verify the identity of clients? Do we have procedures in place to catch obvious warning signs, such as mismatched dates, address discrepancies and multiple incorrect login attempts?
- Does our business manually verify information, rather than relying solely on electronic documents, which are easier to manipulate?
- How are our employees trained in handling stressful “emergency” calls, so they can expedite assistance without falling into a criminal’s trap?