By Jeff Pollard and Joseph Blankenship
When Equifax announced a cybersecurity incident potentially impacting 143 million U.S. consumers, our reaction to the breach was similar to what we imagine many people went through: Were we affected? What about our spouses and other immediate family members? Better keep an eye on the old credit report or initiate a credit freeze. Since Forrester offers credit monitoring as an employee benefit, and both authors are enrolled, one of those concerns is covered. And that all makes sense - Equifax is known to most consumers as a credit reporting agency.
Read also: Massive Equifax data breach exposes as many as 143 million customers | Security firm Mandiant said to be helping Equifax in hack aftermath | CNET: Find out if you were one of 143 million hacked
But that isn't all that Equifax does. Let's look at the available products from Equifax targeted for consumers - credit monitoring, identity protection assistance, and credit score/credit report products. There are three major product lines that are, not surprisingly, focused on credit monitoring and identity theft. And then there is Equifax for business use: Welcome to an entirely different kind of company. Equifax lists 57 offerings for businesses, starting with the letter A and ending with the letter V. Everything from Auto Insights for Car Dealers, to Visualization tools is in there.
So why does Equifax for Business matter? Equifax collects information about you. You may not know it does, but it does. Even if you aren't in the population of breached users, they know you. You don't know what they know about you, and you have no way to find out in normal circumstances. This breach might actually - in a strange twist - provide you insight into what Equifax knows about you, and what it does with that information. Here's why:
Equifax is a large-scale data aggregator, data broker and analytics firm. It collects, analyzes, and derives insights from data - its own data, and data it collects and purchases from other data aggregators.
Right now we don't know what exactly what information was breached. Information that Equifax aggregated together could also be included.
We need more transparency before we understand the full extent of the breach. That will tell us how far beyond basic personal data it might go.
Don't assume cybercrime
An automatic assumption is that Equifax was breached by cybercriminals, looking to gain access to information to steal identities and commit credit card fraud. That's an excellent initial thought process given what we've experienced in the past - but here are a couple of "what if" scenarios:
The whale: The information is used to impersonate executives of firms to have employees wire large sums of money to fraudulent accounts internationally. Having so many details about a person makes impersonating them easier. Suddenly, personal credit fraud can go upscale to financial fraud. These attacks have already happened multiple times over the last few years.
The spy: The information allows someone to steal an identity. Identity is used when someone registers to vote. There is confirmed evidence of foreign entities attempting to influence the US election in 2016. Using this information - along with other hacks at different spots in our election process - a nation state could attempt to disrupt the 2018 or 2020 election. For an example of a similar, but different, situation that illustrates how this could occur, consider the OPM breach which led to decreased intelligence collection capabilities of US intelligence agencies after the breach.
Playing a game of "what if" has value - it makes sure we don't treat our assumptions as certainties. So what should security and risk professionals do? There are two areas to evaluate - what might happen personally, and what might happen professionally.
To protect yourself:
Assume you are compromised. The breadth and depth of this breach, along with all the other breaches that have occurred, makes it safe to assume that your personal information is in the hands of people who will use it for nefarious purposes. Act accordingly.
Use credit monitoring - but not what Equifax offered. Go to a competitor of theirs, sign up through your employer if it's open enrollment for benefits, through your credit card company, or even an alumni offering.
Think about establishing a credit freeze. But make sure to do it through all 3 credit bureaus, and remember that freezing might have costs depending on your state.
If your passwords or security questions use ANY personal information (addresses, schools, car makes and models, etc.) change them right away. It's possible someone that wants to pretend to be you to steal things knows quite a lot about you now.
We need to demand control over our information. The 21st century needs a Data Bill of Rights. GDPR is a decent start, but it doesn't go far enough. Individuals need transparency about data collection and use. More importantly, we need the right to say no to companies that want to collect our data if we don't like the extent of the collection or how it might be used. We should also have the right to say that certain companies can never have our data again, there should be repercussions for violating our trust - and their responsibility to protect our information.
To protect your firm:
Until we know more, we have to think that it's going to be remarkably easy to impersonate...well, anyone. The initial numbers stated that 44 percent of the US is affected. But 22.8 percent of the US is under 18 per the Census Bureau. Therefore 56 percent of all US adults might be affected by this.
Lock down your financial transfer processes. Make sure to include separation of duties and multi-factor authentication and authorization before paying anything.
Remain vigilant against phishing emails. Increase end user training to help users spot them, and explain the significance of social media risks to employees as well.
Deploy managed detection & response services. Work with providers that perform proactive threat hunting to identify threats as early as possible.
Invest in security analytics. Analytics will help identify anomalous behavior before signatures will.
Web application security is cool again. Our surveys indicate that 34% of data breaches were the result of web application attacks. Bake web application testing into your SDLC.
Review your incident response plan, including your public notification plan. What's worse than a data breach? Responding to a data breach poorly. Practice via simulations.
Forrester's first-ever Privacy & Security Forum will be held next week in Washington D.C. To learn more about the Forum and to register, visit Forrester's Privacy & Security 2017 Forum page.