We gave them our most precious information, and they promised to keep it secret, keep it safe.
But now we find out they didn’t.
The credit reporting giant just revealed that over 143 million of us had our personal data hacked. Social security numbers, full names, dates of birth, addresses, banking histories — everything needed to identify us was taken from under their watchful eye.
The Equifax hack is but the latest in a string of public trust betrayals, and many wonder what the modern internet denizen can do to stay safe in this brave new world. Is the digital life worth the risk? Do we have a choice?
We asked Von Welch, director for the Center for Applied Cybersecurity Research, to put our minds at ease. Here’s his take on what happened, what we can do about it, and how to prevent the next breach.
What actions should be taken by those exposed by this breach?
Minimally, just be vigilant. Jump on this.
I think right now the most prudent course for most people to take is to do a credit freeze. You go to each one of the credit reporting bureaus (Equifax, Transunion, and Experian), sign up there for a credit freeze, and then you get a PIN to unfreeze it.
The good news/bad news is that your information has probably been breached before. So, this is just another breach. Assume that as long as we’re in this broken identity system, your identity has been compromised.
So, what can we do? Do we just get off the internet? Unplug from the digital life?
The first thing we need to quit doing is stop using social security numbers as an authenticator.
When I went to school, my social security number was my student ID number, we wrote it on checks, and so on. I mean there was a time when social security numbers were not meant to be these private identifiers. They never were meant to be that.
What do you know about this Equifax breach? How did this happen?
We know very little about this, and this is one of the problems we have right now in cybersecurity.
If this were an airline accident, you’d have the National Traffic Safety Board (NTSB) come in. As in the Florida Tesla crash, there’d be a full investigation, a full report that comes out, and a feedback process to help the industry learn how to do these things better.
The good news (and bad news) is that your information has probably been breached before. Assume that as long as we’re in this broken system, your identity has already been compromised. ~Von Welch
Instead, what we have here is no regulation saying that anyone ever must come out and fully disclose what happened. We have nothing here to let people learn.
Go back to all the other breaches. Name a breach: Sony, Anthem, Office of Personnel Management, etc. Do we know yet any real details about how any of those could be prevented? We’re not learning from these things.
What would this NTSB-style mechanism look like? What are some key aspects that you’d want to see?
I think the key attributes of something like this is it’s a trusted third-party with the goal of producing a clean objective report on what happened and the ability to have us learn from what happened.
It’s all going to be human error at the end of the day, right? It was either a software developer doing it, or somebody who misconfigured it when they were installing it, or somebody whose password got stolen through a phishing email. There’s no such thing as a computer error, because we build computers. It’s all going to come down to a human being error at the end of the day.
So, what was that error, and what can we learn about making our computer systems more usable or less inclined to have that error in the future? We need that sort of feedback loop.
Is it fair to ask for a breach to be revealed to the public as soon as it is known?
It’s tough. I’ve sat in organizations that have had breaches and one of the hard things is that you’re never actually sure you know the full extent of a breach. You rarely at first know what is going on. If you try to communicate at that point, you’re as likely to frustrate people as anything else. So, there should be some balance there.
So, is this a matter for our legislators to create this NTSB-style board?
It would be either from the federal or from the state level. What we’re seeing right now is more from the states that are experimenting with different data breach laws. This is not a bad place to be because having 50 different laws across the different states becomes a way to experiment and see what works well. So, I actually think that’s a good path at this point.
How would such a review work in our global community?
The short answer is it doesn’t work very well right now. We’re trying very hard to establish cyber norms in this area. Fortunately, because most breaches still somewhat happen in a company that is housed in a country, it’s sort of clear what laws take effect.
But if you have something like a case where you have a company that has data in the cloud in another country, then it gets a little bit fuzzier. It almost becomes like an extradition sort of an issue. Whose laws take effect in those cases?
My personal view on that is I’d rather not let the perfect be the enemy of the good. Let’s get something rolling here, and then we’ll sort out the corner cases as they come up.