Mr. Robot vs. The Equifax Breach
Dec. 12th, 2018 10:11 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
grayestofghostsYesterday Adrian Sanabria posted a twitter thread about the recent Equifax breach’s House Oversight Report, see here, unroll here, directly to the House Oversight Report here. Considering 2018 has been the longest year on record, I’ll forgive you if you managed to forget about this breach. This is the one back in late 2017 where Equifax managed to allow personally identifiable information of over half the adults in the United States be compromised. I remember saying to a friend that at this point it would be easier to just give everyone a new social security number, it was that bad — and I was only half-joking
Anyway. This breach was allowed to go on for an astonishing 76 days due to a lack of leadership and general incompetence and negligence at Equifax. Right before seeing the report, I’d finished watching the first season of Mr. Robot. If you’re not familiar with Mr. Robot, it’s a TV series where some hackers take down a large conglomerate from the inside because of the conglomerate’s unethical practices. Looking at the findings of the Equifax breach, what happened here is pretty much the opposite of the plot of Mr. Robot. Consider that, in Mr. Robot:
With such pittances for repercussions, corporations don’t bother to actually bother to understand the importance of cyber security — because, look! To them, it’s not important. The cost of caring is properly externalized to their customers. They have no incentive.
The very idea of cyber security seems to be beyond some of these upper management types. Consider the Panera Bread Company breach, which was similarly maddening in the way it was handled. Panera Bread “leaked millions of customer records […] for at least eight months before it was yanked offline”. And it wasn’t even in that Panera didn’t know they had a problem. A security researcher had notified Panera’s director of information security that the records were accessible online, but the director at first dismissed it as a scam, and then said they were working on it, but instead sat on it for. Eight. Whole. Months.
There is one important distinction between Equifax and Panera, though. Sure, the information leaked by Panera may not have been as serious as the information leaked by Equifax, but there’s also the fact that people generally choose whether or not to patronize Panera Bread. If I was a customer whose information was probably leaked by Panera, and I was mad at them, I could decide to not eat there and swear to never patronize them ever again. Sure it might be more complicated if Panera had some kind of tax support, or if my 401K is invested in them without me knowing, but there is at least something I could do in an attempt to punish Panera Bread, and something I could try to convince others to do with me.
You can’t do this with Equifax. There’s no opting into Equifax like there is when you choose what to buy for lunch, so there’s no way to opt out, either. It’s the most extreme example of you being the product and not the customer. To function in normal society, you’re required to allow these credit agencies like Equifax to look at you, actively collect information on you, but you have no control over what they know or what they say. You have no recourse. That’s the point.
And possibly the sickest thing about this is that Equifax is likely to actually make money off of this. When so much data was compromised, Equifax offered its own credit tracking service. It may have given those affected a free year of credit report tracking, but these people are permanently affected by this breach. It’s not like their social security number and most identifying information can be changed. After the year is up, how many people will continue to need credit tracking? And how many will get it from Equifax, because they already started getting it from them? What an audacious business model!
There is, maybe, perhaps, a light at the end of the tunnel. Equifax managed to miss the European Union’s General Data Protection Regulation (GDPR) activation, which means that in the future, breaches like this could be much costlier when it affects citizens of EU countries. Some US states are trying to impose heavier penalties, especially if corporations delay notifying those affected about breaches. Right now most enforcement at the federal level appears to be either gutted and gridlocked, for obvious reasons, though something may change about that with the new Congress in January — I doubt it, though. Whether the new fines put in place will actually dissuade gross negligence like that seen in Equifax will remain to be seen. At this point, it’s very clear that the “invisible hand” of letting consumers decide who is safe enough to keep their information does not work. There need to be penalties that corporations actually feel if anything is going to improve.
Sources:
https://twitter.com/sawaba/status/1072319618352627714
https://threadreaderapp.com/thread/1072319618352627714.html
https://t.co/bBsVfZdaHQ
https://www.cyberscoop.com/equifax-uk-ico-fine/
http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/
https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
https://www.consumer.ftc.gov/blog/2018/01/equifaxs-free-credit-monitoring-time-ticking
Anyway. This breach was allowed to go on for an astonishing 76 days due to a lack of leadership and general incompetence and negligence at Equifax. Right before seeing the report, I’d finished watching the first season of Mr. Robot. If you’re not familiar with Mr. Robot, it’s a TV series where some hackers take down a large conglomerate from the inside because of the conglomerate’s unethical practices. Looking at the findings of the Equifax breach, what happened here is pretty much the opposite of the plot of Mr. Robot. Consider that, in Mr. Robot:
- The security of the major conglomerate is actually competent and only manages to be taken down by internal malicious actors.
- The hackers do not aim to victimize the ‘little guy’, AKA you, the normal viewer and consumer.
- The organization is actually harmed by being breached.
With such pittances for repercussions, corporations don’t bother to actually bother to understand the importance of cyber security — because, look! To them, it’s not important. The cost of caring is properly externalized to their customers. They have no incentive.
The very idea of cyber security seems to be beyond some of these upper management types. Consider the Panera Bread Company breach, which was similarly maddening in the way it was handled. Panera Bread “leaked millions of customer records […] for at least eight months before it was yanked offline”. And it wasn’t even in that Panera didn’t know they had a problem. A security researcher had notified Panera’s director of information security that the records were accessible online, but the director at first dismissed it as a scam, and then said they were working on it, but instead sat on it for. Eight. Whole. Months.
There is one important distinction between Equifax and Panera, though. Sure, the information leaked by Panera may not have been as serious as the information leaked by Equifax, but there’s also the fact that people generally choose whether or not to patronize Panera Bread. If I was a customer whose information was probably leaked by Panera, and I was mad at them, I could decide to not eat there and swear to never patronize them ever again. Sure it might be more complicated if Panera had some kind of tax support, or if my 401K is invested in them without me knowing, but there is at least something I could do in an attempt to punish Panera Bread, and something I could try to convince others to do with me.
You can’t do this with Equifax. There’s no opting into Equifax like there is when you choose what to buy for lunch, so there’s no way to opt out, either. It’s the most extreme example of you being the product and not the customer. To function in normal society, you’re required to allow these credit agencies like Equifax to look at you, actively collect information on you, but you have no control over what they know or what they say. You have no recourse. That’s the point.
And possibly the sickest thing about this is that Equifax is likely to actually make money off of this. When so much data was compromised, Equifax offered its own credit tracking service. It may have given those affected a free year of credit report tracking, but these people are permanently affected by this breach. It’s not like their social security number and most identifying information can be changed. After the year is up, how many people will continue to need credit tracking? And how many will get it from Equifax, because they already started getting it from them? What an audacious business model!
There is, maybe, perhaps, a light at the end of the tunnel. Equifax managed to miss the European Union’s General Data Protection Regulation (GDPR) activation, which means that in the future, breaches like this could be much costlier when it affects citizens of EU countries. Some US states are trying to impose heavier penalties, especially if corporations delay notifying those affected about breaches. Right now most enforcement at the federal level appears to be either gutted and gridlocked, for obvious reasons, though something may change about that with the new Congress in January — I doubt it, though. Whether the new fines put in place will actually dissuade gross negligence like that seen in Equifax will remain to be seen. At this point, it’s very clear that the “invisible hand” of letting consumers decide who is safe enough to keep their information does not work. There need to be penalties that corporations actually feel if anything is going to improve.
Sources:
https://twitter.com/sawaba/status/1072319618352627714
https://threadreaderapp.com/thread/1072319618352627714.html
https://t.co/bBsVfZdaHQ
https://www.cyberscoop.com/equifax-uk-ico-fine/
http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/
https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
https://www.consumer.ftc.gov/blog/2018/01/equifaxs-free-credit-monitoring-time-ticking
no subject
Date: 2018-12-15 04:53 pm (UTC)No I didn’t just discover the reading pane and start to figure out how to use dreamwidth, why would you think that.
no subject
Date: 2018-12-15 07:12 pm (UTC)Honestly after hearing about this I was hoping that this would lead to a discussion about what we use as PII and how we use it rather than just protection of what we have, because let’s face it, SSNs and birthdays are a horrible system, but I think I only saw a little discussion on it when this broke, nothing serious. Then again maybe I haven’t been reading enough.
no subject
Date: 2018-12-15 08:54 pm (UTC)Your personal information would be safer on paper in a library at this point. It’s not like your SSN was ever meant to be some secret access to all your info anyway, and if it had been, they wouldn’t have been ever been designed for a digital world anyway, but it’s still silly that we can’t expect anyone to do anything.
I love the title of this section in the report in a laugh so I don’t scream way: “Equifax Did Not Know What Software Was Used Within Its Legacy Environments”