Affecting 143 million people, the recent Equifax data breach might on the surface pale in comparison to recent Yahoo breaches that exposed personal details for ~1.5 BILLION of its users. What makes the Equifax incident perhaps the most consequential and severe hack of all time, though, is the quality of the information extracted from the credit reporting company.
While hackers may have gained password or credit card info from the Yahoo breach, the fallout / damage was relatively more contained, since users can easily change passwords, get another credit card number, and are also shielded from CC fraud liability.
The Equifax breach, however, let loose the holy grail of sensitive data: Personally Identifiable Information (PII) such as Social Security numbers, birth dates, addresses, and even driver license numbers. As we all know by now, these data-points are the foundation to establish a persons identity as well as build / maintain a credit history that influences our ability to acquire automobile or home loans, or even get a job.
According to Equifax, the 143 million US citizens affected by this breach accounts for 44% of the total population, but an even more damning statistic is generated once you remove children and individuals without credit histories — the proportion of the relevant population affected grows even larger to around 60%.
This most sensitive PII could now be out in the wild and in the hands of criminals, gangs, and governments hostile to the US, and nothing can be done to pull the data back or change it, since social security number is an immutable identifier. Or is it? This incident might finally prompt the government to issue a social security replacement, perhaps a multi-factor authenticated personal identifier — 20 alphanumeric characters (what you know) verified with smartphone (what you have) text, verified with biometrics (who you are).
Absurd measures? Perhaps not, given ever increasing hacker capabilities and the elevated stakes now involved.
The ripple effects of this breach will persist for the foreseeable future — consumers are likely to experience credit denials and ID fraud for decades, setting Equifax up to potentially unlimited financial liability exposure. Just in the few hours after the breach was reported, two class action lawsuits were filed, one of them seeking $70 BILLION dollars in damages. The 143M victims number may grow as forensics investigations continue, as will the number of opportunistic lawsuits issued as a result.
One key takeaway from incidents such as these, is in truly understanding and quantifying the downstream ramifications of a breach. Whether you run a small business or are responsible for enterprise security, the costs involved in protecting your clients confidential data pales in comparison to total liability costs and reputational damage.
Early indications are that hackers exploited security flaws in open source software that Equifax employs, to get at databases containing customer PII. But in reality, getting at that sensitive PII can be much easier than that. PII on tax return forms, loan applications, etc can be stored on laptop hard drives, on smartphones, as well as on external hard drives — all portable mass storage media subject to loss or theft.
For the past few years, FINRA has stressed the importance of protecting PII — first understanding where its stored, assessing whether the storage of PII is really necessary, and then purging PII whenever / whereever possible. This is all in an effort to limit the chances that your customers sensitive data is accessed by bad actors if the storage device was lost or stolen.
There are reactive measures that contribute to PII data security on portable storage, such as full disc encryption, but its still best practice for the confidential data not needing to be encrypted in the first place, simply because it wasnt present at all. RSI can help you to be aware of where PII might be residing on your PC via our free PII scanner detection tool. Contact us today for a free consultation of how we can help reduce your liability scope by reducing risk factors in your system.
Download Our Personally Identifiable Information (PII) Scanner Technology Whitepaper
Explore the cybersecurity use cases and technical foundation of PII scanner technology by reading this whitepaper. Upon filling out this brief form you will receive the whitepaper via email.
About the Author
