The Institute for Critical Infrastructure Technology (ICIT) has released an analysis of the “systemic organizational disregard for cybersecurity” at credit reporting company Equifax that allowed the theft of sensitive financial data on 143 million Americans, as well as 400,000 Brits and 100,000 Canadians.
ICIT Senior Fellow James Scott authored the analysis, which characterizes the breach as “catastrophic” but “inevitable,” given Equifax is “yet another negligent data broker” that has “proven itself to be a compromised, irresponsible data custodian.”
In an interview with Fifth Domain, Scott said that if the FBI and FTC investigations uncover any intentional malpractice or illicit activity by Equifax executives, then the agencies should “prosecute those individuals to the greatest extent of the law.”
But Scott didn’t stop there. He said the findings of the Equifax investigation should be used by legislators to “reconsider whether data brokers require greater governance and oversight.”
Scott added, “Overall, the actions of Equifax and other data brokers do not appear to protect consumers or their data. Investigators and legislators will need to consider what can be done to curb negligent data broker activities before more consumers are victimized.”
Scott joins a chorus of lawmakers, state attorneys general, security experts and consumers expressing everything from incredulity to outrage over Equifax’s cybersecurity measures to protect highly sensitive data, which the ICIT analysis characterized as “lackadaisical.”
For example, Steve King, chief technology officer of Netswitch Technology Management, wrote on LinkedIn, “In the cybersecurity world, Equifax is the new poster child for carelessness, ignorance, advanced stupefaction and greed. It may also have set the standard for criminal negligence in cybersecurity.”
The company’s response to the breach, which compromised data on nearly half of all Americans, drew even more criticism and anger. Three executives sold nearly $2 million in Equifax stock just days after the company said it learned of the incident. The company claims the three executives, including the CFO, were unaware of the breach when they sold their shares, which have fallen about 30 percent in value since the company announced the breach on Sept. 7. The Department of Justice has opened a criminal investigation.
Many criticized Equifax CEO Richard Smith’s “tepid” and “tone deaf” apology to affected consumers, who are now at an elevated risk of identity theft and financial fraud. Smith has since been summoned to testify before Congress on Oct. 3.
Some in the cybersecurity community expressed amazement after learning that Equifax’s chief security officer and chief information officer – both of whom have “retired” since the company announced the breach – appeared to lack what many security professionals consider qualifying credentials for their respective positions. Equifax scrubbed the internet of video interviews with the former CSO, who also deleted her LinkedIn profile after a screen shot went viral showing she had studied music composition in college and held no cybersecurity certifications.
The company’s perceived gaffes were not limited to the actions of executives. For a short time, Equifax directed potentially affected consumers from its Twitter page to a phishing site (www.securityequifax2017.com). The authentic website (www.equifaxsecurity2017.com) created by the company to assist victims struggled to support the volume of traffic and provided inconclusive answers on whether individuals had been affected by the breach.
The company also inserted language into its offer for a year of free credit monitoring that exempted enrollees from participating in one of the many class action lawsuits that have since been filed, including one in Oregon that seeks up to $70 billion in damages, which would bankrupt Equifax if successful.
Given the number and nature of missteps, investigative journalist Brian Krebs characterized Equifax’s incident response as a “dumpster fire.”
Despite its scale and potentially serious implications for victims, the Equifax breach is not the largest in U.S. history. That dubious distinction goes to Yahoo!, which late last year disclosed that the data of 1.5 billion account holders had been compromised in cyberattacks dating as far back as 2013.
Equifax is also not alone in falling victim this year. So far in 2017, there have been 918 breaches consisting of 1.9 billion data records lost or stolen globally, according to a report recently released by digital security company Gemalto. The nearly two billion records exceed the total amount lost or stolen in all of 2016, with an average of 10,439,560 records per day, the company reported.
During the interview with Fifth Domain, Scott gave expression to the frustration many feel about such incidents and the data brokerage industry at large. “Consumers often remain unaware of which organizations have their data, how that data is secured in storage, transmission and processing, and in some cases, whether those organizations have been breached.”
He continued, “Consumers cannot opt-out of this massive dragnet surveillance. They and their data are effectively hostages to negligent data brokers.”
Exacerbating consumers’ limited knowledge and inability to prevent the aggregation of their data, Scott noted that current practices leave consumers vulnerable long after breaches occur. “Exfiltrated [data] remains compromised for years or decades,” Scott said. “Most companies offer victims a single year of credit monitoring as recompense for a lifetime of assumed risk and potential impact.”
In Scott’s view, business models are at least partly to blame for the current situation. “In the past,” Scott said, “consumers allowed organizations to collect and leverage their data because consumers gained some utility or economic incentive from the organization. Now that data brokers capitalize consumer data as a business model, consumers receive no such incentive.”
Given the current environment, Scott said existing data privacy and breach laws are outdated and should be “modernized to reflect the current threat landscape.” Scott added, “The laws need to focus around consumer and data protection rather than catering towards organizations and special interests.”
The prospect for tougher reforms emerging from Congress is currently mixed, as Fifth Domain has reported. Scott expressed skepticism about the will of government and industry to act.
“Despite jeopardizing the Social Security numbers and other sensitive information of 44 percent of the U.S. population,” Scott wrote in the ICIT analysis, “it is unlikely that Equifax will be the last data broker compromised before the public and private sector collaborate on meaningful reform. It may not even be the last compromised this year.”
ICIT’s analysis of the Equifax breach is not the first time Scott has criticized the data brokerage industry. In July, Scott authored an ICIT report detailing how metadata can be leveraged by nation-state threat actors and cybercriminals to target critical infrastructure sectors, with potentially serious implications for national security.
ICIT’s July report followed Congress passing in April S.J. Res. 34, which canceled stricter data privacy standards put into place by the FCC in December 2016. The new law allows what Scott has characterized as “dragnet surveillance initiatives” by internet and communications companies.
On Sept. 26, Scott will lead a discussion on threats to data security, given recent legislation and industry practices, during a panel at ICIT’s Cyber Intelligence Briefing to be held at the National Press Club in Washington, D.C.