Sergey Nivens - Fotolia
Equifax breach response deemed insufficient in multiple ways
Experts criticized the Equifax breach response as insufficient, given the size and scope of the data loss, and they said the company was likely not prepared for such an incident.
The Equifax data breach compromised the personal data, including Social Security numbers, of 148 million Americans, but experts are critical of how the company responded to the incident.
The Equifax breach was detected on July 29, but it was not disclosed until Sept. 7. After the disclosure, Equifax came under fire after reports surfaced that executives had sold stock in the company prior to the breach disclosure, and because language in the terms of service stipulated that victims who take advantage of the TrustedID credit and identity monitoring service could not sue if that service were to fail.
Despite these issues, the CEO of Equifax, Richard Smith, did not comment on the situation -- beyond a brief video posted with the initial announcement -- until Sept. 12. Smith claimed the Equifax breach disclosure took six weeks from the time of detection in order to give time for the investigation and because the company "thought the intrusion was limited."
"As of Tuesday [Sept. 12], more than 15 million people have visited the website and 11.5 million are enrolling in credit file monitoring and identity theft protection," Smith wrote in a public statement published by USA Today. "We took the unprecedented step of offering credit file monitoring and identity theft protection to every U.S. consumer. Every consumer, whether affected or not, has the option of signing up for the services."
Protection and monitoring
The identity protection service offered by Equifax was limited to one year of protection, which has been standard in incidents similar to the Equifax breach, but experts said that was not sufficient.
Peter Tran, general manager and senior director at RSA, said turning off the protections to those affected by the Equifax breach after one year "would be like turning off a pilot's instruments midflight."
"From a cyberdefense perspective, pervasive visibility and continuous monitoring [are] imperative for both known cyberthreats and suspicious digital movements, and for any breach of this magnitude, due care should extend to the affected consumers and/or end users," Tran told SearchSecurity via email. "The bottom line is no one knows at this point the extent and duration [of] this incident's exposure and risk."
Ferruh Mavituna, CEO of London-based Netsparker, said a Social Security number (SSN) "is for life, and it is very difficult to have it changed."
"The majority of people do not change their SSN, even in the case of an identity theft. They do not want to deal with the paperwork, bureaucracy, the police, etc.," he said.
"So, one year of ID monitoring is not enough to protect the victims in the long run," Mavituna told SearchSecurity. "The SSNs will still have the same value one year down the line, so the attackers just have to wait until the numbers are no longer being monitored and the victim stops keeping a close eye on the number to use them."
A number of experts noted that Equifax stands to profit off the identity and credit monitoring services if enough victims continue to use the product after the free year has passed.
Eduard Goodman, global privacy officer of CyberScout in Scottsdale, Ariz., said with just one year of service, "Equifax is offering to monitor their own files on all of us, which is essentially free to them, then go on to make a profit on offering credit and fraud monitoring in the subsequent years."
"The personal data exposed in the Equifax breach are truly the keys to the kingdom for identity theft," Goodman told SearchSecurity. "Those records for millions of Americans will end up on the dark web, for sale to cybercriminals who can use your name, birthdate and SSN to perpetrate a variety of scams. Often, the consumer is on their own, trying to repair the harm to their finances."
Equifax breach ramifications
Rebecca Herold, CEO of Privacy Professor, said the impact of the Equifax breach "goes so far beyond just the SSNs."
Rebecca HeroldCEO, Privacy Professor
"The PINs of every one of the frozen personal records that Equifax has, whether or not they were included within the gargantuan breach, can now be determined by every person on the planet. Their format for creating PINs are so obvious -- basically, just the date you put a freeze on your account," Herold told SearchSecurity. "Think about it: Most folks putting a freeze on their account will do so soon after the breach was announced, making it not too hard for cybercrooks to just call up and remove the freeze. So, Equifax's security was lax and allowed a huge breach, but one of their responses to the breach can now exacerbate and enlarge the harm impact of the breach."
Goodman said the Equifax breach should highlight the need to seriously rethink SSNs in terms of "verification and identity management in the 21st century."
"The SSN has served us beyond what it was meant for and as a country. There are solutions that can be put into play. These include utilizing advanced biometrics, voice recognition, even typing pattern recognition. It will also involve the utilization of some combination of advanced encryption and blockchain technology," Goodman said. "My concern is that the government will lean on a stale concept, such as a national ID card or citizen ID number, both of which offer the same pitfalls as a SSN."
Tran said identity management and authentication "should never be tied to a single point of failure, and relying on data points alone such as birthdates, social security, driver's license numbers and the like have posed challenges for many years."
"This breach was the final knockout punch to show a move to electronic identification (e-ID) multifactor identity and authentication technology, lifecycle and governance platforms is long past due," Tran said. "It's likely going to spark aggressive legislative discussion on whether a new national e-ID program will be implemented to include the use of a unified smart card chip-and-PIN, RFID and/or biometric identification standard to reduce the current and future data exposure risks."
Herold noted there are security and privacy risks in such e-ID programs, as well as major logistical issues in moving away from SSNs:
Some want to move to biometrics, but that will include not only technology challenges, but also significant privacy issues. A big challenge is that so many organizations, of all types and sizes, now use SSNs and have used them for many decades. It would probably be a bigger challenge than moving the U.S. from [imperial measurements] to the associated metric units. Our ideas for how to do identification need to dramatically change from what we've been considering. We are stuck in an identity innovation rut and need to have a dramatically new idea that is comparatively easy to switch to. Such inspiration has not yet been described, though.