We all need to give more attention to identity theft in the wake of the Equifax breach
In this episode I talk about:
- What is Equifax anyway?
- What do we know about what happened?
- What is the implication?
- What should you do about it personally and for your business?
- To find out if you are part of the Equifax breach
- Bruce Schneier, On the Equifax Data Breach
- Equifax Does More Than Credit Scores
- So, Equifax says your data was hacked—now what?
- How to protect yourself from that massive Equifax Breach
- How to Protect Yourself After the Equifax Breach
- LinkedIn Article Based on Collins email
A Big thank you to Collin Smith for his work and insight!
- Collin Smith
- Network Operations Engineer, Endsight
- Twitter: @EndsCsmith
Related Articles and Podcasts:
Welcome to The Jason Clause Show. I’m Jason Clause, your host, and today we’re talking about, as always, good ideas for busy managers. Welcome, welcome, welcome everybody. This is The Jason Clause Show. This is a business podcast. It’s dedicated to helping busy managers find and share good ideas, lots of different kinds of ideas, actually.
My experience is that the best managers out there, the best business leaders out there in the East Bay, in the San Francisco Bay Area, they’re idea collectors. They’re always on the lookout for good ways to help their teams get motivated, get more accomplished, remember less, be more productive. They’re also looking for ways to be more secure. That’s really what is at the heart of the show. It’s about trying to find those ideas, because I get to talk to so many of you, and then share those ideas.
We have a great episode for you today. We’re going to be talking, unfortunately, about a topic that isn’t really that pleasant, but we’re going to be talking about the Equifax breach. I know that there’s been a lot of coverage, but I’m afraid that it may have gotten overshadowed by everything else that’s out there. So we’re going to spend some time talking about what happened, what the implications are, and broadly speaking, what you can be doing about it, both from a personal perspective and for the business. We’ll get into that right after this.
The Jason Clause Show is brought to you by [Endsight 00:01:55]. Computer problems are expensive and frustrating. They’re also almost always avoidable. You deserve a better computing experience, and you can trust Endsight to deliver it. Head on over to www.endsight.com and learn how.
All right. Welcome back from the break. Like I said, we’re going to be talking about Equifax and what happened. We’re tracing out the sequence of events, but before we get into that, let’s just start with what is Equifax anyway, because most of us only know it from the personal perspective. They provide credit monitoring services. They provide, funny enough, they provide identity protection services. The thing we know them most for is those credit scores that Equifax and TransUnion and the other credit reporting agencies maintain for us.
The thing that we don’t associate as often with Equifax is all of the uses and all of the businesses that they have related to the business of providing credit or understanding a population. You go over to the business side of the Equifax website, there’s more than 57 offerings on that site. They’ve got to alphabetize it. It’s things like auto insights and visualization tools.
Equifax collects massive amounts of information about you and about your family and about your business. They have some of it. They buy some of it. They aggregate that data, and you have no idea what they know about you. There’s also really no way for you to find out. This is the business that they’re in, and that’s part of what makes this particular breach such a frightening thing.
It’s also the kind of thing that, if it irritates you, I’m right there with you, because I’m not Equifax’s customer. They don’t, in my mind, why do they have the right to hold onto my information? But under the current legal and political conditions, it’s okay. I’m thinking maybe that needs to change. That’s not really what I want to talk about today, but that’s what I think needs to happen. Maybe at some other point, if you want to grab coffee with me, we can talk about what I think needs to happen. But I’m not going to use this as a platform to talk about that.
The big question that a lot of people ask me is, “How do I know if I was involved?” I’m going to talk about that in a minute, or what I think about that question in a minute, but to directly answer that question, Equifax has created a website. I’m going to include a link to it in the show notes. You can find it all kinds of places. It’s all over the Internet, but the address is www.EquifaxSecurity2017.com. You can put your information in, and you should be able to get something back, assuming that the site’s not being flooded at the time. I don’t know if this matters, to be honest with you, but if you want to check, you can.
Let’s talk a little bit about, as best that we can tell, what happened, because there’s still a lot … We’re months into this now, by the way, and there’s still a lot that’s unknown about it. As best as we can tell, there was a flaw in a tool that’s used to create web applications. Equifax has a lot of different web applications. The particular one isn’t really that important, but there was a flaw identified in this particular piece of software. That flaw was identified in March, not by Equifax, but by a firm that … There’s a lot of companies out there that are the white hat-ish type security firms that are trying to provide a public service by identifying vulnerabilities in software so that the vendors and the people using these tools can patch and …
I’ve written at length a lot about change management and control. You can find a lot of that on my website. There’s a lot of other information out there, but the gist of it is that there’s the folks that are out there finding it, and then it’s really on the business or the entity or the developer to figure out how to address that, and then let everyone know, before it can be exploited by a bad actor.
So this particular flaw that was the culprit, or provided the opportunity that created the breach, was identified in March. Let me say that one more time. It was identified in March. Equifax may have known about it, may not have known about it. It’s unclear. I’ve read a lot, and I’ve seen different accounts. But the point is is that Equifax says that they didn’t really discover a breach until July 29th. So there was a great deal of time between when they knew that this was an attack vector and when they found out that they had been compromised as a result of this vector.
They then did some more due diligence and research, and found out that a series, not a single breach, but a series of persistent breaches had occurred from May 13th through approximately July 30th. A lot of this, if they’d immediately notified people, maybe this might be a little bit more understandable, but then there’s all the other things that happened. I don’t want to recount all of those, but the Reader’s Digest version is they waited a long time to tell the rest of us about what had happened. That’s not right, but that’s another podcast. These are kind of the things that, based on what I’ve been able to research and what I’ve read, this is a reasonable account of what happened.
Broadly speaking, this is a company whose business is data. They spend a tremendous amount of money on technology and security. They have an entire apparatus dedicated to it, and even they were overwhelmed, probably by the number of vulnerabilities. There’s very human reasons why this could’ve happened. I don’t want to let them off the hook, but I also don’t want to demonize them either, because everyone that runs a business or owns a business or is involved in a business is dependent on their technology and ultimately responsible for the data that you’re safeguarding, or the data that you’re a caretaker of. The amount of work required to just keep the network secure as a matter of process, it’s overwhelming. So it’s highly likely that there’s process issues and spending issues.
I was at a breakfast earlier this week, and I was talking to another dad, older parent. He has older kids than mine. What he said to me was, “Jason, I can tell you what’s important to my kids based on where they spend their time and where they spend their money.” I think there’s a lot of application for that too.
I haven’t seen a whole lot about what Equifax was investing from a material and treasure perspective in securing data. I don’t know if we’ll ever see that. But just generally speaking, I don’t think they’re alone in being the type that underspends and probably doesn’t devote the proper energy, mostly because I can’t imagine that their stockholders, before the breach, really cared too much about how secure they were. They cared about the stock price. And they only care now because of the impact it’s having on the stock price.
Anyway, I keep getting off … Coffee, another time.
All right, so what was included in the breach? Again, they’re a data aggregator, and so it’s really unclear exactly what was disclosed, but we’re pretty certain, and based on what I’ve seen, it’s names, social security numbers, birth dates, addresses, not just the address you have now, but the address you had in 1996. Drivers’ license numbers. This is really important, because this is information that is not going to go stale. You can change your credit card number. You can actually even change your address, but you can’t change your social. You can’t change when you were born. You can change your name, but why would you want to? So this is really, really important.
This is one of the main reasons that I wanted to do this podcast instead of maybe a different topic. It’s because this makes this breach different from every other breach that’s been hitting the news. We want to roll our eyes. I do. I want to roll my eyes and be like, “Another one? Okay.” But this is different, and I think it’s going to change things, and we’ll get into that.
We’re talking about that type of information for approximately 140 million US citizens. It’s more than that, and it’s not just US citizens. There’s other folks that are involved too. But it’s your mother’s maiden name and the address you had in 1996. Your first car loan, how much that was. The validity, like I said before, of this information, it is never going to expire, so there’s never going to be a point where this stops being a concern for you, or for us.
Again, until we know more, it’s … And a lot of this, until we know more, that comes up a lot, and it has a lot to do with the nature of the business that Equifax is in. They aggregate data, and that’s valuable to them. So they’re not really all that interested in letting the rest of us know exactly what they collect on us. They’re interested in letting their customers know: banks, car dealerships, folks like that. But not me. I’m just a commodity to them. You’re just a commodity to them.
So until we learn more, it’s going to be very, very easy, if you’re unprotected and you’re in the clear, for someone to impersonate you, to impersonate anyone. I read an article, I’m going to include a link to this. It was a Forrester article that pointed out that, we’re all … The easy application here, criminal enterprise to jump to, is identity theft. That’s a really easy way to use this data.
But there could be all kinds of other reasons why, or applications for this information. It’s going to be a lot easier to impersonate the CEO when you know so much about the CEO. Wire fraud is going to be so much easier, because there’s so much information. Here’s one that kind of send a chill down my spine. We’ve already been wrestling with this idea that there may or may not have been interference in our presidential election, but with this information, you can actually commit voter fraud. That’s just two, right?
I want to stop for just a second, because I know … I’m a little bit irritated, and as I give this presentation right now, and as I talk to you, I know that’s coming across. I think this was irresponsible, but I also don’t want to sound all doom and gloom, because there’s things we can do. There’s a world that we can live in where we’re going to have to be more cautious, but the sky’s not going to fall.
All right, so what can you do to protect yourself? First, regardless of whether you go to the website and you find out that your information has been compromised or not, I think there have been enough breaches, I think it’s time for us all to just start assuming that we’ve been compromised, and begin taking action accordingly.
Use a credit monitoring or identity theft protection vendor. I would humbly submit that it probably shouldn’t be with Equifax. I think they’ve proven they’re probably not the most trustworthy player in the market, and maybe we need to source out an alternative.
Establish a credit freeze, and this is what really prompted me wanting to do this as an episode. One of our network operations center engineers, Colin, he sent out a note to the whole organization, detailing the process he went through to freeze all of his credit reports with the different credit rating agencies. It takes a little bit of time, but I think that it was a really well written piece, and so with his permission, I reposted it on my blog. I’m going to link to it in the show notes here, and I’d encourage you to go check it out. There’s some costs associated with doing this. They’re minimal. But I think when you weigh that against what the potential risk is you’re guarding against, this is a great idea.
Broadly speaking, what you’re doing is, with the credit reporting agencies, you’re saying, “Listen, I don’t want you giving this away unless this person gives you a PIN number.” Then they give you the PIN, and you have to remember it. Any time a financial agency tries to run your credit report, or anybody for that matter, the reporting agencies will not deliver that without that corresponding PIN. The idea is that you’re the only person that has that, and that’s a way to guarantee identity. It’s cumbersome and an added step, but again I think that’s the world we live in now. So I would highly recommend doing this. I did it. I did it for both me and for my wife, because there’s different reports for both of us, and the household is joined together.
Also, it’s worth going through, and I know this is cumbersome, but all of your passwords and security questions, make sure that the information in those is not something that’s in the clear as part of this breach. So addresses, schools, old car makes and models, things like that. Comb through them and change them. I know that’s cumbersome. I have, I don’t know, a lot of passwords, and I haven’t gotten this completed yet, but I’ve already started it. I’m doing a little bit at a time. Again, going back to what I said before, where I spend my time, where I spend my money, says what’s important. This is important, because protecting … Unfortunately, it has to be important.
Then finally, we need to demand control of our information. That’s the long term one. Right now, I just don’t get the sense that our government or business has a real appetite to address this problem, but if enough of us start pounding our hands on the desk, eventually we’re going to need to get some regulation in place. There’s going to need to be changes made to the way things work to protect us.
For the business, number one, it’s important to lock down the financial transfer process, right? CEO fraud was on the rise anyway. This is going to make it easier. Making sure these processes are well laid out is now more important than ever. I’m going to include a link to the episode I did on CEO fraud. I’d encourage you to listen to that if you haven’t.
Being vigilant against phishing emails, spear phishing emails and the broader ones. The information is going to allow bad actors to make these things even more personalized, make them look even more like somebody that you know. So we’re going to need to be more aware of that.
On the technology side of things, working with your provider or reaching out to somebody like me and my company, Endsight, to talk about deploying countermeasures, security analytics. We need to talk to our web teams and the folks that we’ve bought web applications from, because fundamentally these things, the way into these things is in the clear, and we need to look at how they’re secured and how they work.
Then the last one, and most people don’t even have this. This is something to start thinking about. Assuming that something will go wrong, unfortunately, needs to be something that you need to consider, and you need to have a response plan in place. I think the real thing that has the country feeling uneasy about what happened, many things, but one of the big things for me personally, is that it’s clear they didn’t really think about what to do when …. Or maybe they did, and this is what they thought of. If so, it’s a monumental fail. But having a plan in place to respond if an incident happens, and then practicing that plan. That’s actually the reality that we live in now. How are you going to let your customers know when something goes wrong?
Actually I wrote a blog a long time ago about, this isn’t security related, it’s disaster planning and disaster recovery related, but Endsight actually had to implement its plan a few years back, because of a fire. I’ll include a link to that as well, so you can read up on that. We had it, and the impact was that our clients were, we were able to take good care of them, they were made aware. Many of them said, “Man, if you hadn’t told us, we wouldn’t even have known.” The plan was that good. Anyway.
All right. I’ve got most of the articles that I read preparing for this presentation. I’m going to include them in the show notes. A lot of them say the same things. The Forrester article, of all of them, that’s the one that I think I got the most out of. The New York Times article was good too. But I encourage you, if you want more information, to head on over to the website and check out the links from the show notes. That should be helpful to you.
Also, as always, if you want to give me a call, it doesn’t cost anything to talk about this. So give me a ring. I’d be happy to come out and see you or meet you for coffee. We can talk a little bit more about what this might mean for you.
All right, that’s all I got for us.
If you like what you’re hearing, head on over to iTunes and leave a review. That would be awesome. Better still, if this is useful and you think it might be useful to one of your colleagues, that’s probably the best compliment you can pay me. Just forward it on to him and say, “Hey, give this thing a listen. Maybe share it with your team.”
We’re going to continue talking about cybersecurity. We started a series. I kind of interrupted it with this, but I think it’s important. So we’re going to keep talking about different work based topics for how you can tighten up security from a process perspective. Until next time, I hope my good friend Jesus blesses you with wisdom in your spirit, peace in your heart, and a whole lot of laughter in your belly. We could all use some laughter. Take care now.