In the aftermath of the “[largest] breach ever of private consumer data”, as per Jeff Flake, US Senator (Arizona), Members of Congress are calling for better accountability on the part of businesses and their staff in the manipulation and storage of Personal Identifiable Information.
“Companies do have a legal obligation to protect sensitive consumer data. This diligence is necessary to both comply with existing laws and maybe more importantly earn and keep the public’s trust in a data-driven economy ,” said US Senator Greg Walden (Oregon).
Last week Richard Smith, former Equifax CEO and Chairman, testified at multiple congressional hearings, including the Financial Services Committee, the Energy and Commerce Subcommittee, and the Senate Judiciary Committee. “The breach happened on my watch,” said Smith. All sessions echo a common theme: businesses who do not comply to a strict code of conduct regarding the use of private and vulnerable information should face strict penalties. Overall, US Members of Congress expressed a sense of urgency in the wake of the Equifax breach and called for strong public scrutiny regarding the inefficient reaction on the part of Equifax towards the cyberattack that extended from March to July 2017 and affected over 145 million Americans.
During the Senate Judiciary Committee Hearing, US Senator Thom Tillis (North-Carolina) emphasized that investing in information security prevention and intervention is fundamental to the livelihood and social standing of businesses:
“You have to secure the data to maintain your reputation. We must continue to put pressure on businesses to make the remediation that is required after a breach occurs. We have got to figure out how to get that right. And we need to have discussions … that [address] the millions of people and the hundreds of thousands of businesses that are every bit as vulnerable as Equifax based on the current pace of bad actors versus the current pace of enterprises [that are] hardening their [own] systems.”
The Equifax breach represents a turning point in the collective dialogue surrounding information security as it unites government officials, corporate leaders, IT experts, and victims of cybercrime to assess the magnitude of privacy violations and the best practices to move forward. Primarily B2B, Equifax Inc. is a $3-billion company that specializes in the gathering and selling of personal identifiable information of over 820 million individuals internationally, explained US Senator Walden.
“The breach happened on my watch,” testified Richard Smith.
US Members of Congress, including Senators Elizabeth Warren (Massachusetts) and Ryan Costello (Pennsylvania), have expressed their outrage concerning the lack of efficiency on the part of Equifax as the company let the breach extend from March to August 2017 without ever notifying the public. Currently, Senator Warren is presenting a new legislation, Freedom from Equifax Exploitation Act, that gives consumers the choice to reclaim, for free, their credit information by freezing or unfreezing credit access. The ripples of the breach are quickly running through the congressional web.
Indeed, two questions come to light: How do we move forward; What can be done? US Senator Anna G. Eshoo (California) eloquently illustrated the level of distress that overshadows the public’s perception of Equifax and its protocols for information security, ultimately emphasizing that cybersecurity strategy and awareness are fundamental to the proper management of consumers’ confidential data:
“I have the privilege of representing most of Silicon Valley. I have asked this question about the protection in terms of privacy breaches in our country to just about every CEO I’ve met. They have responded like a chorus and said that there are two main reasons for breaches in our country: a lack of hygiene in systems and very poor security management. So it’s distressing to me knowing this information that homeland security notified Equifax – this is almost seven months ago… But you, as CEO at the time, when homeland security informed your company that there was a breach, what did you say to your CIO officer? Did you understand what the breach was? Did you understand what the patch meant? Did you understand the timeliness, the need for timeliness to have this fixed?”
Understanding the Repercussions
Indirectly, the above statements and conversation ultimately indicate that an effective raising security awareness strategy within an organization is vital to sustaining a business culture based on privacy and best practices. The Equifax breach is proof of what not to do. The consequences to such breaches are serious as they affect the lives of consumers and staff and can shatter the images and brands of businesses. Cybercriminals, whose identities have not yet been confirmed, have access to people’s most private and personal information, and may choose to use or sell as they see fit. This data is permanent and includes dates of birth, social security numbers, and current and former addresses. Consumers are at a substantial risk of suffering from identity theft. Staff may possibly face an increase in fraud activities during their workday – which can lead to further phishing incidents and social engineering. Finally, corporations undergo defeat as their once well-established reputation is dragged down by a data breach that could have been prevented in the first place. The repercussions are disastrous every way one turns.
Businesses need to reflect hard on their own information security strategy and the many preventive measures that exist in the market to avert such negligence. The security protocols that were developed in a pre-digital era do not suit the contemporary information context. Strategies and best practices need to reflect the current data environment. An intelligent and comprehensive awareness campaign is a must when dealing with consumers’ personal data. Fraudulent activities will continue to happen as per the sophisticated data environment in which we operate. Yet, businesses have the social and economic responsibility to protect, in good faith, the more vulnerable. Let the Equifax fiasco be a lesson to all. Now, we pick up the pieces and move forward in a more secure direction.
Timeline of Events
March 8th
- Homeland Security reaches out to Equifax advising them of suspicious activity in one of their portals.
- Smith claims that the tip was investigated by Equifax; yet, nothing was found.
March 9th
- An Apache Struts program that was running on Equifax’s IT network required patching. Two important oversights take place on this date, testified Smith. He explained to Congress that the first mistake involved a human error, whereby “the individual, who was responsible for communicating in the organization to apply the patch, did not”.
- The second oversight involves technology. Smith indicated that the scanner that was supposed to verify for vulnerabilities in the system and apply the necessary patching (if necessary) did not locate the weakness.
July 29th – 31st
- Smith indicated that Equifax security team detected suspicious activity in one of its IT portals. There was no confirmation of a breach as such movement is considered “routine” in the line of work of IT security. The portal is taken down and an internal investigation begins.
August 2nd
- Equifax reaches out to external legal and forensic experts to investigate the suspicious movement. Smith reported that Equifax was not yet aware of the nature and scope of the data breach.
Mid-Late August
- Weeks following the initial investigation, Smith claimed that only then did he receive confirmation that a data breach in personal identifiable information has occurred.
September 7th
- Equifax announces to the public that a widespread data breach has occurred. Largest attack thus far, the Equifax breach affects almost half of the American population.
Source: House Energy and Commerce Subcommittee Hearing on Equifax Data Breach, C-SPAN.org
(https://www.c-span.org/video/?434786-1/lawmakers-grill-former-equifax-ceo-data-breach)