Equifax Heist – An Ongoing Digital Tragedy.
TL;DR: Equifax was never working for you – they work for banks, credit companies and others. So they never put the controls in place that could have protected you. It wasn’t in their interest.
NOTE: This article will be updated throughout the day (08SEP2017) in between meetings with clients and portfolio companies.
The Equifax Heist that was recently announced has astounded many – other than the folks that actually know security (e.g. Michael Krebs).
143 Million records lost including some of the silly buggers that paid the fox to be in their henhouse – those poor buggers (that used Equifax personal identity theft service presumably) actually provided credit card and other information.
There are so many things wrong here but there are some good news points. Technology that can fix much of the problem has moved ahead brilliantly and is beginning to hit reality (as opposed to being academic or in-lab only).
Equifax Heist – Data Was In One Vault (Likely)
My understanding here, and that is evolving, is that hackers basically punched through the firewalls, intrusion detection, and other security measures and managed to get to the big vault that holds data on 143 million people. We don’t know the full detail on what protections were inside the network but I’m betting on the “crunchy outside, soft centre” approach that most groups use. They secure the perimeter but don’t lock things down hard enough inside the network. So that vault was likely just sitting there, nicely lit, for the hackers to access. Sure that vault has protections – but getting past those protections is often the work of #ScriptKiddies nowadays.
Even worse…
Equifax Heist – Your Identity Wrapped Up For The Taking
Let’s look at another terrifying piece – Equifax had literally everything that a crook needs to spoof or steal your identity. Everything – you address, your SIN/SSN, your existing accounts. Even worse? They can look at all the accounts and your credit score and decide who they want to pursue. hint: It won’t be the low credit score folks with less than $5K available credit…
It was all wrapped up in a nice red bow. 143 million lovely presents for the bad guys to enjoy. Sitting in one vault. The Equifax Heist was the perfect target.
Equifax Heist – It Was Never Your Data
Here’s the terrifying thing. Equifax purports to be working on your behalf. But do you pay them? Most likely not – and even if you do you’re not paying for the reason that they really exist. They exist to make it easy for their financial clients (banks, credit card issuers, insurance, etc.) to peer into your life and make a guess about your finances and credit worthiness.
This means you are not their customer. If you were, perhaps they would have protected things a bit more.
As my good friend Drummond Reed says “If you aren’t paying for the product, you are the product“. Equifax has had the temerity to claim that 143 million “customers” had data stolen. Well over 99% of those people are absolutely not customers – they are the product that Equifax sells. Yes – your data is their product. You get a loan and the bank puts a line item into Equifax (and the others) – and you become a piece of data that they sell…
Think about that.
Part of the data they sell access to – or at least secured in a poor way – was people’s social insurance/security number (i.e. SIN/SSN). Using such critical identity data in a system is a horrible thing to do – and should NEVER be done. But – it is easy, and most developers are lazy (err … efficient) so they will prefer to use the easy route. Another friend, Phil Windley, speaks very well on this topic, in the context of the Equifax Heist.
The Ramifications?
The ramifications of the Equifax Heist are going to be felt for years. The impacts will be felt on so many levels:
- Personal – people will already be having their identity stolen and this turns lives upside down.
- Credit Agencies – the whole idea of the big 4 (Equifax, Trans Union, and Experian) holding such valuable targets in one place will become anathema.
- Customers of Credit Agencies – there will likely be some third-party law suits filed against the lenders and other financial institutions that have been providing information to the big 3. Did they do enough due diligence? What safeguards did they put in place?
- Digital Trust – this is where the positive side of things will start to shake out. The narrative will begin to shift from the credit agencies to the people – why should a 3rd party, that can’t be trusted with MY data, be allowed to screw things up so badly?
More to come…
What If We Each Had Our Own Vault?
Imagine if that data vault that the hackers hit held only 1 person’s information. That would mean they would have to crack 143 million vaults. Now imagine that the information in each vault is also cryptographically-secured? Would they bother? Hell no – they’d go look for another system that puts everything in a single pile in a single vault.
One of our portfolio companies (Evernym) has a cute explainer videos on this idea: Magic Pennies.
Also published on Medium.