“While the Equifax incident is not the largest recorded data breach in terms of sheer volume, the magnitude of this hack is measured by the breathtaking amount of highly sensitive data it has left open to criminals.”
It has now been nearly a week since the announcement of the Equifax data breach, the hack that has been recognized as the most damaging of its kind in the history of hacking incidents.
While the Equifax incident is not the largest recorded data breach in terms of sheer volume, the magnitude of this hack is measured by the breathtaking amount of highly sensitive data it has left open to criminals.
The personal details that have been exposed by this hack include some 209,000 credit card numbers and other sensitive identifying data such as social security numbers. Reports state that the variety of personal details was gleaned from hacked “dispute documents” related to approximately 182,000 American customers.
Details of this incident are still being uncovered such as who is responsible, how the hack was pulled off, and what may have been done in the interim with this trove of data. The pertinent question now is what the reaction of policy makers will be to this catastrophe.
Since news of the hack came to light, US legislators have been scrambling to conduct hearings and investigations in order to determine what regulations are going to help prevent this sort of thing from happening in the future and mitigate any damage in case it does.
For instance, the House Energy and Commerce Committee reported that it will hold a hearing to examine the incident and the application of legislation addressing vulnerabilities. This followed House Financial Services Committee Chairman Jeb Hensarling’s statement to the media that he was planning a hearing in his own committee on the incident. Calls for an investigation by the House Judiciary Committee were probably the most worrying for Equifax to hear.
There are two factors related to the Equifax incident that are the most likely targets for federal legislation.
First off is the issue of security standards, including authentication and program updates.
There is reason to believe that unpatched software may have been Equifax’s Achilles’ heel. In the most recent revelation on the Equifax breach, many experts are pointing to vulnerabilities in an old version of Apache Struts software as the point of entry for hackers. Apache Struts is a software toolkit that creates Java-based web applications that run a website. The vulnerability, that was announced by Apache in March, allows hackers to send an HTTP request to a system in a specialized syntax that fools it into granting administrative access.
In regards to authentication, the data breach is just the latest incident showing the vulnerability of non-integrated, or single-factor authentication for user access. Equifax, which apparently only integrated personal detail authentication into its security protocols, demonstrates how circumventable this method is when standing alone.
Technicalities aside, these issues may be the first to be addressed if and when congressional committees start to roll out regulations in response to all of this.
We may see tighter rules on authentication practices, requiring certain types of companies to bolster access protocols and integrate multiple factors to identify a user. New laws may require organizations to perform regular program updates and lay penalties on those that don’t.
Regarding disclosure, implementing regulation has some interesting recent precedent internationally.
The European Union is set to implement its much spoken of General Data Protection Regulations (GDPR) next year. One of the major issues GDPR addresses is company disclosure in the event of unauthorized access of other data leak. According to the upcoming regulations, a firm is required to report a hack to authorities 72 hours from when the incident is identified. Not exactly the month it took Equifax.
Interesting to note, is that Equifax does maintain a European presence, and admitted that UK residents were among the victims of the recent breach. This means Equifax would have been subjected to enormous fines had this incident occurred just a few months from now rather than when it did.
To emphasize, the disclosure factor is not a small issue when it comes to mitigating the damage of a hack. The fact that Equifax revealed the breach to the public only a week ago, and has only recently began reaching out to law enforcement and regulators, has made the potential effects of the leak exponentially worse.
When the leak of data this sensitive occurs, victims of unauthorized access need to be updated immediately so they may take steps to protect themselves. Effects of exposure can be lessened by, for example, cancelling credit cards and remaining vigilant for sophisticated phishing attempts utilizing their personal information to create an appearance of legitimacy.