Since news broke on Thursday that Equifax (EFX) had thepersonal data of some 143 million Americans — including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers — stolen, things have stuck to the script with depressing predictability.
Equifax’s blows a larger hole in our collective privacy than most data breaches. But in most other ways, it’s the same old sorry story.
Once again, a company collected data that’s both sensitive and often mandatory to function in much of American society while allowing us little oversight of its use. Then it managed to lose control of this information. It’s now trying to make up for that with the standard remedy of a year of freeidentity-theft monitoring services.
And once again, it’s not acting like we need to know much about how it got hacked.
July’s news in September
Equifax’s news Thursday was not news to anybody in the company involved in the case. The company learned on July 29 that strangers had been poking around its site since the middle of May.
Equifax told the rest of us about this Sept. 7 — almost six weeks after July 29. It’s also more than two weeks after the company’sAug. 22 registration of theequifaxsecurity2017.com domain it’s using to provide customers with information about this debacle.
The company’s FAQ, however, offers this explanation for the delay:
“Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.”
Unfortunately, Equifax is only playing to type in taking its time to notify its customers that their data’s now in the wild. Delayed disclosure of data breaches wasenough of a problem in 2014 to push senators to introduce two different bills to protect customers;Congress being Congress, it passed neither and has since moved on to other things.
On the other hand, maybe if Equifax had dawdled even longer, it might have had time to reconsider a fine-print clause requiring customers to waive their right to join a class-action suit. After beingcalled out by New York state attorney general Eric Schneiderman and many others, Equifaxupdated its FAQ to clarify that taking its credit-monitoring service waives no class-action right to sue over the data breach.
Will we know what went wrong?
The worst may be yet to come. I don’t mean only in the potential financial risks to 143 million Americans — as in, 44% of thetotal U.S. population as of last July. I also mean in terms of whether Equifax shares its lessons learned.
The company has offered a vague explanation of the hack — “a U.S. website application vulnerability” let unidentified hackers sneak in — and said it’s hired “a leading, independent cybersecurity firm” to report on what went wrong. But it hasn’t said it will publish those findings.
And it’s the polar opposite of how we handle accidents in transportation, public health and other industries.
“These things all have mandatory disclosures around them so we can all know about it and the people who built those systems can learn from it,”Veracode co-founder Chris Wysopal observed in a2016 talk at the Collision conference.
The cybersecurity-defensive-crouch version of that response, he mocked, is less helpful: “The plane crashed; this is how many people died; how it happened is going to be a secret.”
Wysopal hasn’t seen a big push towards transparency since then. “I haven’t seen much push for breach information disclosure,” he wrote in an email Friday. “The ‘what went wrong’ is kept to a minimum.”
“I would really love to see such transparency from Equifax,” thisdata-breach detective wrote. But he’s not optimistic. Neither am I.
Best to expect bland “it’s been handled” reassurances—after which we can learn nothing and then repeat the whole miserable cycle in a year when some other company fumbles another hundred million or so people’s records.
TechDailyTimes is a web blog devoted to technology, science, research and development and everything related to new technological breakthroughs. Our aim is to cover technology news on a daily basis. Articles on technology contained in this blog may concern science news, tech news, applied technology, gadgets, devices etc. All blog entries are published 'as is'. TechDailyTimes waives any responsibility, expressed or implied, in regard to any material, published in the blog. Opinions expressed by our authors may contradict with the official standings of TechDailyTimes administration.