So you heard about Equifax, right? If you’re just waking up and haven’t heard about this yet, please be advised that a category five fecal-maelstrom has moved in and chances are good you are right in the path.
Because apparently, Equifax has lost data on just about everybody. By “just about everybody”, I mean about 143 million people in the US, UK, and Canada. Basically most people with a credit record. The data lost includes a bunch of stuff: social security numbers, dates of birth, addresses, driver’s license numbers. Pretty much what you’d expect to be in a credit report.
The financial impact – at least right now – isn’t great. After hours trading of the stock has been pretty rough: they’re down about 14%. We’ll see what happens when the market opens though since we all know that stock price doesn’t usually take a hit after a breach. On the “plus side”, at least we know that Equifax executives are in the clear since they sold their shares before the news was disclosed. They claim they didn’t know about the breach when they sold. So, I wasn’t there – I have no special knowledge of the situation to have an opinion one way or the other. But I have to say I’m suspicious of that a little bit. At a minimum, the optics are terrible. Because the only way for that to be true is that a) the CFO was out of the loop on something potentially catastrophic to their financial position and the president of US operations wasn’t informed about one of the largest breaches of all time. If that ” seems legit” to you, so be it. But “best case scenario” is that it’s unfortunate timing that makes them look absolutely terrible… the worst case (i.e. that it’s straight-up criminality capitalizing on the misfortune of others and their own incompetence to make a quick buck) would be really, really not good.
A few things are interesting to me about this. First, Equifax apparently discovered the breach on July 29. But yet, we are only learning about it now. That is that it is well over the 30 day notification period required in jurisdictions like, for example, Florida. And, I’m no Srinivasa Ramanujan, but a quick “back of envelope” calculation leads me to conclude that we’re over the 30 day timeline (or 45 if they sought extension). This suggests that either a) they are not in compliance with at least one jurisdiction’s breach notification law or b) they were given explicit permission from law enforcement to delay notification. I suppose if law enforcement were going to give an exception to someone for something, this would probably be the one given the volume and seriousness. However, value of the breach notification seems to me to be proportional to the size of the breach. So if law enforcement is going to always waive it when something high profile like this occurs, is there really a value to having a timeline?
Second thing that’s interesting is I’m wondering if this will have any impact on people’s continued use of Social Security Number as an authentication “strategy” or if it will impact long-term how people apply for credit or run credit checks. Will it impact the viability of KBA? After all, if nobody’s data is private anymore, is it (as Adam Shostack says), a “chernobyl moment“? At least, to the extent that it changes how we do things? I guess we’ll see.
Third thing that’s interesting to me is I wonder the business impact this will have on Equifax. It seems to me that companies are testing, in Darwinian fashion, how much data they can lose without suffering long-term viability impacts for their businesses. What will be enough to impact a business in a truly catastrophic fashion? Unsure. But I’m interested in this because it will certainly test the hypothesis – i.e., that somehow something negative will happen to you if if you expose sensitive information about people en masse.
Why do I say that? Because this breach is friggin huge. And credit reporting is a super competitive marketplace. There’s not a lot of room for someone to have “drag” in that market and still remain competitive. Ergo, if Equifax is still viable in a year or so, it tells us something. Namely, if they’re not struggling, we can probably safely conclude that privacy breaches – at least those that results in disclosure of private customer information – don’t really matter all that much. This wouldn’t be good news in my opinion, but at least we’d know. If they’re on the ropes in a tangible, observable way, then we know there are long-term impacts. Also useful to know.