Equifax and other data brokers practice “lackadaisical” cybersecurity and “negligently” compromise the long-term safety and security of consumer information, as shown by the breach of 143 million U.S. credit records managed by Equifax, according to a new report.
The Atlanta-based company disclosed on Sept. 7 that criminals exploited a U.S. website application vulnerability to gain access to certain files from mid-May through July 2017.
“Data brokers continue to jeopardize the long-term safety and security of the consumers who are trapped in their dragnet surveillance and incessantly manipulated by their demographic and psychographic Big Data algorithms,” James Scott, co-founder and senior fellow of the Institute for Critical Infrastructure Technology, a Washington-based cybersecurity think tank, wrote in a report published on Wednesday.
“To them, information is a commodity and people are seen as data points instead of human beings,” he said in the report. “Data brokers continue to practice lackadaisical cybersecurity because they fail to connect the information lost in countless breaches to the lives impacted by adversaries’ campaigns. Equifax is yet another negligent data broker that has been compromised due to its failure to secure data according to its value, promote cyber-hygiene best practices, and implement layered defenses.”
Early 2017 monitoring of now-defunct Deep Web markets shows that Experian and TransUnion might also be compromised, meaning the Equifax breach may not be the last data broker compromised this year, Mr. Scott said.
“Equifax has proven itself to be a compromised, irresponsible data custodian,” he said. “However, Experian and TransUnion may be just as vulnerable, irresponsible and compromised.”
But Equifax knowingly waited six weeks to inform 44% of the American population that their credit records were compromised by an unknown adversary, Mr. Scott noted.
“It is difficult to imagine how Equifax could have managed the public disclosure and incident response more tumultuously following the compromise of sensitive information of nearly half the populations of the United States and the United Kingdom,” he said. “Equifax delayed publicly disclosing the breach to consumers for nearly six months — likely in an attempt to manage negative public response, mitigate reputational harm and pre-empt litigation.”
Equifax’s inability to fix the vulnerability with a readily available patch will cost the organizations millions or billions of dollars and will put the 44% of affected consumers at risk of identity theft, fiscal fraud or medical account compromise for at least the next decade, Mr. Scott said.
“Worse, because Equifax delayed disclosure and botched incident response, consumers are severely unprepared for the onslaught of social engineering campaigns and exploitative attacks that cybercriminals and techno-mercenaries are preparing to launch,” he said.
On Sept. 15, Equifax announced that its chief information officer and chief security officer were retiring and were immediately replaced by interim staffers. The company also said its internal investigation is ongoing and it continues to work closely with the Federal Bureau of Investigation in its investigation, according to the press release.
“Since the Equifax breach announcement, TransUnion has been scouring our systems globally to make sure we remain safe as we do any time we learn of a potential threat,” the company said in an emailed statement. “Based on the analysis we’ve conducted to date, we have not uncovered any evidence of a similar cyber event.”
Equifax and Experian could not be immediately reached for comment.