Long after the initial media circus died down, Equifax has finally, officially, revealed the full extent of their recent data breach. The statement takes the form of an open letter to the U.S. Securities and Exchange Commission, and it delivers much more detail about the type of information lost to hackers back in September 2017.
What does the filing reveal?
First and foremost, the tone of the Equifax letter is revealing in itself. The company faced political, rather than legal, pressure to release these findings publicly and provide a full accounting of the breach.
As you may remember, representatives from Equifax testified before Congress personally. Shortly afterward, politicians and journalists alike, all around the world, began to question whether the company was taking the situation seriously at all, given that Equifax stood to turn a profit from, rather than actually receive punishment for, their unprecedented carelessness.
With that in mind, this official filing gives the impression Equifax believes the book is closed on this issue and they’ve taken all the actions they intend to take:
“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators. It does not anticipate identifying further impacted consumers, as it has now completed analysis of government-issued identification numbers stolen together with names.”
The filing indicates Equifax retained forensic investigators and third-party cybersecurity firms to help them more precisely determine how many records, and what types of information, went missing.
How much and what kinds of information were stolen?
Even the earliest stories about this breach, as they broke, were clear that the scope of the incident was vast. Unfortunately, the official letter to the SEC reveals the situation is even worse than people originally feared. Here’s a breakdown of what the letter revealed:
- 6 million lost names and birthdates
- 5 million lost Social Security numbers
- 99 million lost home addresses
- 27 million lost gender identities
- 3 million lost driver’s license numbers
- 8 million lost credit card numbers
- 209,000 lost credit card expiration dates
- 97,500 lost tax ID numbers
Taken individually, either the number and the variety of the lost information would, by itself, qualify this as the single most consequential data breach in history. The entire population of the United States is only 325.7 million as of this writing, meaning roughly half of us had one or more pieces of critical and identifying information taken against our will.
Whether, and to what extent, financial institutions and credit reporting companies will be subjected to appropriate legislation in the future is uncertain. Even many months after the report of the Equifax breach, Congress showed no signs of introducing new privacy laws to protect consumers from the companies they effectively can’t “opt out” from if they intend to apply for credit at any point in their lives.
Gov. Cuomo of New York and some other state-level politicians have floated their ideas for improved oversight. At the federal level, some additional measures have been suggested, including tightening rules for data brokers and making credit freezes free of charge. However, Americans affected by this event, if they want peace of mind, will mostly have to take their data safety into their own hands for the foreseeable future.
Driving home the importance of cybersecurity
To begin with, if you haven’t taken the time to do so, and you don’t anticipate applying for a new loan in the near future, consider freezing your credit with each of the main credit reporting companies.
Beyond that, it’s worth reflecting on how this breach drives home the importance of cybersecurity. Even before it got involved in handling the fallout of the Equifax breach, the SEC had already published guidelines on best practices for investment advisers and other financial institutions.
One of these is penetration testing — which not only helps harden servers, networks and web applications against intrusion but also, when performed regularly, improves cybersecurity mindfulness at the cultural level in companies and helps leadership make better-informed and more proactive decisions.
For individuals, the takeaway here is to remain constantly vigilant about which companies you entrust with your personal data — and also to use strong, memorable passwords and to rotate them on a regular basis.
For companies, the picture is a lot more complicated. Even without reasonable regulations in the picture, there’s a certain amount of unspoken trust financial services customers expect of the companies they “choose” to do business with.
If you’re not carrying out periodic assessments of your cybersecurity vulnerabilities, actively reviewing your strategies and proactively preparing and training your employees, vendors, and partners, you certainly should be — because the question is not if, but rather when, you’ll face vulnerabilities of your own.
Until we vastly improve the technological foundations that power the banking world — think blockchain and other next-generation tech — privacy-mindedness is going to be a serious value proposition for private companies and a clear way for them to stand apart from their peers.