Trading information and the company logo are displayed on a screen where the stock is traded on the floor of the New York Stock Exchange in New York, U.S., September 8, 2017

commentary

(Inside Sources)

November 3, 2017

The Equifax Breach: Yawn, or Yikes?

Trading information and the Equifax logo are displayed on a screen where the stock is traded at the New York Stock Exchange in New York, U.S., September 8, 2017.

Photo by Brendan McDermid/Reuters

by Sasha Romanosky

By now everyone has heard about the data breach at Equifax, one of the country's largest credit reporting agencies. Sometime between May and July, hackers allegedly exploited a months-old web vulnerability, and compromised user accounts containing huge quantities of personally identifiable information such as addresses, birthdates, Social Security numbers and credit card numbers.

Recent estimates suggest that 145.5 million accounts were compromised in the United States, along with millions more around the world. The breach was discovered by the Atlanta-based consumer credit reporting giant July 29, and was publicly disclosed September 7.

It is critical that consumers take steps to ensure their personal information is not abused.

Like other corporate victims of data breaches before it, Equifax said it acted immediately to stop the intrusion, then hoisted the burden of securing against potential loss due to the breach onto the shoulders of consumers. This may not seem fair, but it is critical that consumers take steps to ensure their personal information is not abused. The simplest and perhaps the most effective way to enhance personal digital security is to protect your account credentials—from bank accounts to Facebook accounts—using password management software.

While monitoring financial activity, as recommended by Equifax, may be a worthy first step, the kinds of information compromised in the breach could lead to many additional kinds of harm that cannot be fixed just by watching bank and credit accounts. Hackers can use personally identifiable information in all sorts of ways such as accessing accounts to steal money, making bogus purchases, even claiming government benefits. And with every account a hacker accesses, more personal information can be harvested to commit more digital mayhem.

While most people are probably used to hearing about data breaches involving personal information, the Equifax breach raises a number of questions, the first being how does a company like Equifax even have all of this information when consumers didn't knowingly provide it to them? The answer is rooted in the way Equifax and other credit bureaus operate.

There is a tremendous amount of information on everyone that is already publicly available—or at least available for a price.

There is a tremendous amount of information on everyone that is already publicly available—or at least available for a price. And Equifax's business model enables it to collect this information in order to develop dossiers on people. That is, after all, their core competency, and in many ways, this is a good thing. This is how they are able to assess and notify institutions of an individual's credit-worthiness.

Absent easy access to this information, banks and mortgage companies would likely charge even higher prices for credit and loans.

But now that Equifax and its millions of individual dossiers have been compromised, the next question is what should consumers do to protect themselves in this uncertain post-breach environment? While some claim that “you have zero privacy, … get over it” and others suggest there's no point even bothering to try to protect yourself, there still are precautions people can take.

Equifax, like most corporations that have suffered significant data compromises, responded to the breach online, offering consumers a way to find out if they were affected. It then offered consumers complimentary identity theft protection and credit file monitoring. It went on to recommend that consumers keep a close eye for suspicious activity in their account statements and credit reports. The company also suggested turning to the Federal Trade Commission's website to learn more about protecting against identity theft.

These are worthy suggestions for those who are completely unaware of the threat of identity theft and may be oblivious to the possibility that they can and should monitor their accounts for fraudulent activity. For others, however, these suggestions could be obvious, even galling. After all, Equifax is the one that allowed itself to get hacked, why should its customers have to assume the burden of cleaning up the mess?

Some will likely be infuriated that they now have to devote significant time and effort to monitoring their accounts, and taking other steps, even though they may never be the target of identity theft or other hacker misdeeds. This is the familiar problem that economists cite when describing harms that one bears because of another party. Indeed, it was a breach of a similar data aggregator, Choicepoint, in 2005, that led to the strengthening of breach notification laws in the United States.

Despite the burden in time and resources, there is of course value in being diligent in monitoring any financial transactions. At the same time it is important to take affirmative steps to protect online accounts, not just banking and credit accounts but also social media, news, work or school accounts. Since the first defense is the password, and since passwords are not going anywhere soon, the best way to protect the accounts without consuming too much effort is to use a password manager.

A password manager is a small standalone program (available for all major operating systems) that stores each username and password combination, sorted and classified however you like. It has the ability to auto-generate passwords of any length and composition that may be required. Best of all, users never need to remember, or even see, any of the passwords. They will all be different, and they will all be very resistant to hacking or guessing. All users need to remember is the one password to that application.

Yes, requiring that single password is not perfect: it presents a single point of failure in case the password database becomes corrupt or lost, and people still have to remember that one, big password. However, this is a key solution for several reasons.

Password managers provide enhanced protection at very little cognitive cost.

Password managers provide enhanced protection at very little cognitive cost, since users don't have to create and remember each username and password for dozens (even hundreds!) of accounts. It is scalable to as many passwords as any user may need. Changing passwords is also a snap.

I won't recommend any specific brand, but there are many free, and inexpensive options out there. I wouldn't recommend a cloud-based password manager, because they are vulnerable to internet-based attacks. Standalone software for computers and mobile devices is probably best.


Sasha Romanosky studies the economics of information security and privacy as a policy researcher at the nonprofit, nonpartisan RAND Corporation.

This commentary originally appeared on Inside Sources on November 3, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.