143 Million. That’s the approximate number of records held by Equifax that got stolen by a hacker. Equifax is one of the “Big 3” credit reporting bureaus, so all of the data that it collects is highly sensitive personal and financial data—your credit card charges, your mortgage loans, etc. And, considering that its worldwide holdings are roughly 800 million records, the loss is astronomical—roughly 20 percent of the entire data set went out the door.
How could it happen? Will Equifax be found at fault? And what can we do to prevent it from happening again? All good questions—none with easy answers.
As to how it happened—Equifax is blaming the software. According to the company there was a flaw in the open-source software known as Apache STRUTS created by the Apache Foundation. Open-source software is, as its name implies, created in an open manner through public collaboration and it’s also often offered for free, or for a minimal fee, to users. (By contrast, for example, Apple keeps many of its software details confidential and considers it corporate intellectual property.) STRUTS is used by about 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtim —plus the IRS—so any flaw in STRUTS is a problem.
The problem, for Equifax, is that the flaws in STRUTS are well known and widely reported. The US government put out an alert in 2014. And the Apache Foundation has been pretty proactive in deploying fixes that patch the vulnerability. So even though the software may well be at issue, Equifax will have some questions to answer about why it hadn’t done everything it could to patch the flaws.
That doesn’t mean, however, that Equifax is going to go out of business. They will suffer substantial economic damage, to be sure. In addition to response costs in fixing the problem now, there will be credit monitoring to pay for, legal fees, and probably some sort of fine. But the biggest damage will be to their reputation. The market here is, however, limited—there are only three large credit reporting agencies. So even the reputational damage may not have a real effect on the bottom line. More to the point, the economics are such that suffering a data breach like this is, today, just a “cost of doing business.”
Data holders have not been required to internalize the costs of cyber security. Or, as Prof. Zeynep Tufekci put it, we live in a “regulatory environment in which consumers shoulder more and more of the risk, and companies less and less.” Naturally, then, we get less security than is societally optimal.
And so, the real loser here is you and me. We have no privacy left. Personally, I have suffered through the Target breach, the Home Depot breach, the OPM (U.S. Office of Personnel Management) breach—where our government lost all the data it had on those who held top-secret clearances—and now the Equifax breaches. Between them I have lost all of my financial, health and identification data, as well as the information that went into my classified background investigation, and the fingerprints off of my hands. There is nothing about me that isn’t available somewhere on the network.
For most of us, that’s a personal problem with direct effects. My mental health issues, or my financially precarious position, (both hypotheticals by the way) are now an open book. But the bigger issue is systematic and it goes to the integrity of the entire cyber ecosystem. Today, almost all of us prove who we are to others on the network through some form of personal information. “What is your mother’s maiden name?” If all of our personal information is now widely available many (all?) of our current methods of authenticating identity are suspect. What is the systematic cost to trust on the network? Think of the contexts (like banking) where trust is essential. How about governmental contexts where orders and directives (some with real world military consequences) can no longer be conclusively verified.
Overly apocalyptic? Perhaps. But a clear sign that we need to rethink identification and authentication. One consequence of the Equifax breach may be mandatory identify verification and the end of anonymity on the network—a truly perverse result.