{"id":598,"date":"2017-09-08T13:27:45","date_gmt":"2017-09-08T13:27:45","guid":{"rendered":"https:\/\/securitycurve.com\/?p=598"},"modified":"2017-09-08T13:27:45","modified_gmt":"2017-09-08T13:27:45","slug":"equifax-oh-the-humanity","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=598","title":{"rendered":"Equifax: Oh, the humanity"},"content":{"rendered":"

\"\"<\/a>So you heard about Equifax<\/a>, right? \u00a0If you’re just waking up and haven’t heard about this yet, please be advised that a category five fecal-maelstrom has moved in and chances are good you are right in the path.<\/p>\n

Because apparently, Equifax has lost data on just about everybody.<\/a>\u00a0 By “just about everybody”, I mean about 143 million people in the US, UK, and Canada. \u00a0Basically most people with a credit record. \u00a0The data lost includes a bunch of stuff: social security numbers, dates of birth, addresses, driver’s license numbers. \u00a0Pretty much what you’d expect to be in a credit report.<\/p>\n

The financial impact – at least right now – isn’t great. \u00a0After hours trading of the stock has been pretty rough: they’re down about 14%<\/a>. \u00a0We’ll see what happens when the market opens though since we all know that stock price doesn’t usually take a hit after a breach<\/a>. \u00a0On the “plus side”, at least we know that Equifax executives are in the clear since\u00a0they sold their shares<\/a> before the news was disclosed. \u00a0They claim they didn’t know about the breach when they sold. \u00a0So, I wasn’t there – I have no special knowledge of the situation to have an opinion one way or the other. \u00a0But I have to say I’m suspicious of that a little bit. \u00a0At a minimum, the optics are terrible. \u00a0Because the only way for that to be true is that a) the CFO was out of the loop on something potentially catastrophic to their financial position and the president of US operations wasn’t informed about one of the largest breaches of all time. \u00a0If that ” seems legit” to you, so be it. \u00a0But “best case scenario” is that it’s unfortunate timing that makes them look absolutely terrible… the worst case (i.e. that it’s straight-up criminality capitalizing on the misfortune of others and their own incompetence to make a quick buck) would be really, really not good.<\/p>\n

A few things are interesting to me about this. \u00a0First, Equifax apparently discovered the breach on July 29. But yet, we are only learning about it now. \u00a0That is that it is well over the 30 day notification period required in\u00a0jurisdictions like, for example, Florida<\/a>. \u00a0And, I’m no Srinivasa Ramanujan<\/a>, but a quick “back of envelope” calculation leads me to conclude that we’re over the 30 day timeline (or 45 if they sought extension). \u00a0This suggests that either a) they are not in compliance with at least one jurisdiction’s breach notification law or b) they were given explicit permission from law enforcement to delay notification. \u00a0I suppose if law enforcement were going to give an exception to someone for something, this would probably be the one given the volume and seriousness. \u00a0However, value of the breach notification seems to me to be proportional to the size of the breach. \u00a0So if law enforcement is going to always waive it when something high profile like this occurs, is there really a value to having a timeline?<\/p>\n

Second thing that’s interesting is I’m wondering if this will have any impact on people’s continued use of Social Security Number as an authentication “strategy” or if it will impact long-term how people apply for credit or run credit checks. \u00a0Will it impact the viability of KBA? \u00a0After all, if nobody’s data is private anymore, is it (as Adam Shostack says), a “chernobyl moment<\/a>“? \u00a0At least, to the extent that it changes how we do things? \u00a0I guess we’ll see.<\/p>\n

Third thing that’s interesting to me is I wonder the business impact this will have on Equifax. \u00a0It seems to me that companies are testing, in Darwinian fashion, how much data they can lose without suffering long-term viability impacts for their businesses. \u00a0What will be enough to impact a business in a truly catastrophic fashion? \u00a0Unsure. \u00a0But I’m interested in this because it will certainly test the hypothesis – i.e., that somehow something negative will happen to you if if you expose sensitive information about people\u00a0en masse<\/em>.<\/p>\n

Why do I say that? Because this breach is friggin huge. \u00a0And credit reporting is a super competitive marketplace. \u00a0There’s not a lot of room for someone to have “drag” in that market and still remain competitive. \u00a0Ergo, if Equifax is still viable in a year or so, it tells us something. \u00a0 Namely, if they’re not struggling, we can probably safely conclude that privacy breaches – at least those that results in disclosure of private customer information – don’t really matter all that much. \u00a0This wouldn’t be good news in my opinion, but at least we’d know. \u00a0If they’re on the ropes in a tangible, observable way, then we know there are long-term impacts. \u00a0Also useful to know.<\/p>\n","protected":false},"excerpt":{"rendered":"

So you heard about Equifax, right? \u00a0If you’re just waking up and haven’t heard about this yet, please be advised that a category five fecal-maelstrom has moved in and chances are good you are right in the path. Because apparently, Equifax has lost data on just about everybody.\u00a0 By “just about everybody”, I mean about […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[47],"class_list":["post-598","post","type-post","status-publish","format-standard","hentry","category-security","tag-equifax"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=598"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/598\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}