Equifax on Thursday acknowledged a massive data breach in which attackers stole personal data on 143 million Americans, including names, Social Security and credit card numbers, birthdates and addresses.
And this story isn’t over. Bloomberg reports that days after Equifax discovered the breach, senior executives sold nearly $2 million in stock, then waited weeks to notify the public. Lawmakers have renewed calls for not only a uniform data breach notification standard, but also whether Congress needs to consider preventing companies from holding large sets of highly sensitive data.
Scott Crawford, research director for information security at 451 Research, tells Channel Partners the magnitude of the breach is staggering.
“U.S. Sen. Mark Warner characterized it well: ‘The Social Security numbers, birthdates, addresses and credit card numbers of nearly half the U.S. population,'” he said. “This makes it one of the worst ever. The collection of this depth and this volume of some of the most sensitive personal information by one of the three or four major organizations in this business makes these entities a prime target, so it’s not likely to be the last, either.”
When a small number of companies maintain control over collection and access to the sort of information gathered and marketed by the credit reporting organizations, consumers are left nearly powerless, Crawford said.
“Most are simply forced to accept as a necessity the need to have a credit history with these organizations in order to gain access to the consumer economy,” he said. “Where I would point the finger is at the appalling lack of public policy for the protection of consumer data in the United States in this industry. This is not the first breach of a credit reporting organization, nor will it likely be the last, but it is one of the worst ever. When access to this information may be controlled by no more than a PIN, there is clearly a lack of acknowledgement among these companies of just how valuable a target this information is.”
Chester Wisniewski, principal research scientist at Sophos, said the breach is another reminder that information that isn’t properly protected will be stolen. Whether it is in the cloud, on a thumb drive or on a mobile device, unprotected data is valuable to criminals. What’s worse is that the bulk of the information, such as Social Security numbers, birthdays, addresses and other personal details, is far more valuable than the stolen credit card information, he said.
“Partners need to take several steps as news of the massive Equifax data breach unfolds,” said Erin Malone, Sophos’ vice president of sales in North America and Partner Advisory Council leader. “Firstly, partners need to evaluate their customer base – do any customers collect data through web applications or require their (customers) to submit sensitive personally identifiable information (PII) to complete a transaction? Partners should immediately …