I was planning this column based on the Equifax breach that affected 145.5 million people. And then Yahoo! slipped a tidbit into a busy news day, admitting that its 2013 breach exposed the personal information of all 3 billion of its customers.
That’s just the most recent brick in the wall. Through just a handful of government hacks, more than 240 million Americans have had their SSNs exposed. They included the IRS breaches of 2015, 2016, and 2017, which all together exposed 1.14 million SSNs; the 2015 breach of the U.S. Office of Personnel Management, which has the personal information and background check data for every individual who has ever worked for the government or applied for a government job, that exposed a whopping 21.5 million; and the 2015 hack of voter data across the U.S., which affected another 191 million. And way back in 2006, 26.5 million veterans had their personal information exposed in a breach of the Veterans Affairs Department.
And that’s not even all of the government breaches. We haven’t even touched on the three South Carolina breaches, or the many commercial breaches from Target and Home Depot to Anthem Health Care, Bon Secours St. Francis Health System, and Sony, to name just a few.
Nonetheless, this is no time for melancholy. Equifax is a huge corporation, but that doesn’t mean that there aren’t takeaways for every business, agency, or nonprofit.
The Equifax breach was the result of one IT staffer who did not do what he was supposed to, according to the congressional testimony of former CEO Richard F. Smith last week. Well, that’s an easy scapegoat, but no employee goes unmanaged.
Lesson No. 1: Verify. Unmonitored standards degrade over time, because employees may often determine that no one seems to care and, thus, this process isn’t that critical. It may get done eventually, but as Equifax learned, it may take as little as a week to go from secure to hacked.
Overreliance on technology seems to give businesses a false sense of security. Hacking and cybercrime are business problems. Major ones. And technology alone will not fix them.
According to published reports, the Equifax intrusion detection system failed to recognize that there had been a breach. I am going to make an assumption that Equifax has a large technology infrastructure, expensive hardware, and software systems dedicated to security, and a pretty robust staffing level.
Lesson No. 2: Technology alone will not be enough. Protecting yourself and, more importantly, your clients from data exposure will depend on a three-pronged approach of hardware, software, and humanware. Don’t spend all your security money on systems; save some for training and an independent resource/process review.
How long was a hacker bleeding information out of Equifax’s systems? Nearly three months. A full five weeks passed before Equifax acknowledged the hack.
Lesson No. 3: Things get worse the longer they go on. It is possible to lock the barn door while you still have a few horses left. But for that to happen, employees have to believe they won’t be summarily canned for turning themselves in. It’s easy to make a mistake and hard to admit it. Encouraging employees to be honest while dangling a get-out-of-jail-free card is an important step to stopping hacks quickly – while they can be controlled and potentially even prevented.
Lesson No. 4: Stop asking for things you don’t need. I’m talking to you, medical practices. Several times in the past few months, I have had to fill out paperwork that asked for my SSN. I refuse to write it on the form, and offer instead to hand a Post-it to the receptionist and wait while they enter it, returning the Post-it to me. Usually they say they don’t really need it. Then don’t collect it. Once you have it, you have a legal responsibility to protect it, and a significant liability if you don’t.
There may be one good thing to come out of the Equifax situation. The White House and Congress have just started to kick around the idea of changing our primary identification method. The newly minted idea has many challenges and affects every aspect of American life, so don’t expect a quick solution. But it is something to watch for and stay on top of. We should push for smart changes to this system and stay on top of elected officials to ensure solutions to protect us do not invade our privacy in the process.