Equifax Breach Exposes Multiple Failures
In the latest of what can only be described as a pandemic of data breaches, Equifax has admitted, belatedly, that they failed to properly protect the personal financial data of 143 million Americans, 400,000 Britons, and 100,000 Canadians.
When will these companies begin to take the security of our data seriously?
What we know about Equifax's failures so far
The first known breach of Equifax occurred in November 2016. Equifax suggests that no data was stolen until May 2017. We can only guess what the intruders did with six months of apparently unfettered access. Ten months after the initial breach and four months after data was compromised, Equifax finally disclosed the intrusion. But, not before three of their executives cashed out almost $2 million in holdings.
In an effort to appear to be doing something to correct the shortcomings, the CIO and CSO have been retired. Unfortunately, their problem really lies much deeper. Patches were available but not deployed and, frankly, that level of detail is not normally the purview of the most senior executives. One could make the case that the newly promoted execs were in a better position to have prevented this intrusion but were rewarded for their failure--the Peter Principle is live and well at Equifax (except these guys were already at their level of incompetence).
More troubling than all of this is that Equifax and their ilk just don't get it. Time after time, these companies are infiltrated and yet none of them are taking the basic precaution of encrypting the data. This type of critical financial information shouldn't be available even to a successful intruder.
Why it matters
Because of the source, the information now in criminal hands is particularly valuable. Equifax's business is reliant on having up-to-date, supposedly verified, personally identifiable information including names, social security numbers (social insurance numbers), birthdates, addresses (current and previous), credit card numbers and possibly drivers license numbers (Rogers, for example, collects those). Pretty much everything required to steal identities was acquired in a single breach. Armed with this information, the perpetrators will be able to:
- Open bank accounts
- Apply for loans and credit cards
- Buy cell phones, TV subscriptions etc. in your name
- Accept payments meant for you
Don't take this lightly, theft of your identity is a serious issue that can take years to clean up.
Steps you can take to protect yourself
- Monitor your credit score
- Click to get your credit report from Equifax and TransUnion. (Note that neither of these sites are SSL secured—another indication that they don't take security seriously)
- Request a Credit File Alert (essentially a toothless credit freeze)
- If you confirm that your SIN was stolen, file a police report and alert all your banks.