Earlier this month, the news broke about a large hack that occurred at Equifax, one of the “big three” credit reporting agencies. 143 million consumers were affected resulting in personal data being stolen including social security numbers, addresses, birth dates and driver’s license numbers.
According to Equifax, the breach was caused by a vulnerability in a piece code in an open source tool called, “Apache Struts”. The vulnerability was identified by the US Department of Homeland Security in March 2017, however the hack occurred from May 17 to July 30th, when the associated web applications were taken offline by Equifax. Even more difficult to understand, is that the news of this hack was only made public by Equifax on September 7, 2017.
As one of the consumers who were likely affected, it is disappointing that a company with such sensitive information on so many consumers (Equifax claims to collect and aggregate data on more than 800 million consumers worldwide) didn’t patch critical vulnerabilities quicker and didn’t notify consumers earlier. On top of that, there has been considerable backlash with the public security site that Equifax put up to help consumers through this hack, equifaxsecurity2017.com. Why would a company create such a non-reputable domain to mitigate this issue? Consumers weren’t quite sure if they were on the appropriate site or a malware phishing site. Why not use, www.equifax.com, a domain much more difficult to copy for malicious reasons? And if that wasn’t bad enough, the tool they provided to help consumers check to see if they were affected, links to yet another domain for www.trustedidpremier.com, an Equifax tool for credit monitoring. Not only did Equifax get hacked, but they’re also trying to sell their products to those who got hacked.
If this had happened to a software company in Silicon Valley, I would expect the organization to experience a slow death until bought out by a newer, more modern competitor. Top talent in the coveted engineering pool would likely refuse to work there. But it’s a catch-22. You need top engineers to build the best (and most secure) products, and you need the best products to attract top engineers.
Privacy is No Longer a Priority
As a consumer, you feel helpless from this hack. Your information is sitting somewhere on some hacker’s computer just waiting for it to be used to take out a loan or open a credit card. Now, it all seems crazy that the information we’re supposed to keep secret, is used so liberally across all of our devices. Signing up for cell phone service, filling out medical records or in some cases, even buying a airline ticket, requires a SSN, birthdate and address. When we give our data to these companies, we trust that they have the expertise and resources to keep it secure. But I’m willing to bet that most of them don’t. With so much data in the digital world, it’s nearly impossible to keep up with which of my data is behind a reputable vault and which is behind a loosely guarded text file.
There needs to be a change. And while, optimistically, the change occurs with consumer behavior in how careful we are with our private data, I think the change must come from corporations housing the data. Consumers must demand more from these corporations. I’ll be the first to admit that it’s very difficult to stand my ground and demand better security; there are products and services that we just need to have and we’ll stop at nothing to get it.
But I didn’t give my information to Equifax. They collect it from banks, credit card companies, loan agencies, etc. so that they become the “single source of truth” to identify who would be a good person to loan money to. It seems insane, in this day in age, that all the information that is needed to ruin my financial life can be passed around from company to company. In addition to the changes needed for how we protect our personal data, changes are needed in the credit reporting industry. The “big three” (Experian, Equifax, TransUnion) take the lions share of the market and, honestly, they’re all liabilities. I don’t know what the solution is; whether it’s a new startup to disrupt the industry, or more regulations set by the government. Maybe it’s both. Maybe it’s more stringent policy around how to take out a loan or obtain a credit card. Shouldn’t everyone be entitled to a notification that their credit history has been requested? This should be defaulted as an opt-out policy.
My friends and I have theorized that there might be a solution hidden in the growing blockchain industry that has been, so far, dedicated to the cryptocurrency gold rush. If there was a way securely verify a person’s identity without having to use an archaic text password or a social security number, that could be used to unlock someone’s encrypted credit history. The blockchain is such a new innovation that we don’t even know what to use it for, but it’s obviously a powerful security tool.
In the end, we’re likely living in an era where we have to make a choice; either get left behind by not participating in digital innovations, or embrace technology and give up the ability to fully secure your private information. Unfortunately, privacy hasn’t quite caught up with technology, just yet.