Expert takes a critical look at Equifax data breach

Expert takes a critical look at Equifax data breach | Insurance Business

Expert takes a critical look at Equifax data breach
The Equifax data breach has not only revealed how vulnerable even the largest of companies can be to cyberattack, but has also shone a spotlight on how to handle… or how not to handle… similar situations.

The agency recently admitted that it had been the victim of a months-long data breach which may have compromised the accounts of as many as 143 million people. Sensitive data such as credit card and bank information, as well as Social Security numbers, were potentially exposed by the attack.

Celebrate excellence in insurance. Join us at the Insurance Business Awards in Chicago on October 26.

Cyber Scout founder and CEO Adam Levin explained that these breaches typically happen in the same way.

“Apparently there was a vulnerability in software that they were using. They created a gap in their web security,” Levin told WND and Radio America in an interview. “As a result, the bad guys got in, crawled around for a few months and had access to a staggering amount of information.”

After revealing news of the breach, Equifax apologized for what it called a “disappointing event.”

“This isn’t a disappointing event. This is an outrageous event. It is a completely embarrassing event. It is a dangerous event,” Levin commented.

Levin explained that had the breach only dealt with credit card and bank account information, the damage would have been manageable. However, the damage caused by the potential theft of Social Security numbers is far more difficult to mitigate.

“When you’re dealing with a Social Security number, this is forever,” he said. “The Social Security administration will almost never agree to change someone’s Social Security number. So if your Social Security number is on a database that is compromised, you will be looking over your shoulder for the rest of your life.”

Felonies such as new account fraud, medical identity theft, tax fraud, child identity theft and criminal identity theft are possible when a delinquent has access to Social Security numbers. Worse, when criminals abuse such information, they can implicate the original owners of the numbers in the crimes.

“That’s where someone using your information commits a crime and the trail of bread crumbs leads back to you,” said Levin. “And you’re driving down the street. You’re pulled over to the side of the road by law enforcement for a busted tail light. All of a sudden, your car is surrounded by guys with guns. You’re thrown on the ground, handcuffed and hauled off, in some cases in front of your wife and kids.”

Some might abuse Social Security numbers to gain employment under another’s name – this could cause issues with the IRS, Levin pointed out.

“For example, someone gets your Social Security number, gets employment in your name by using your Social Security number,” he stated. “The income from that job is reported to your Social Security number. So, all of a sudden, the IRS is on your tail, saying that you woefully under-reported your income.”

Considering the widespread financial wreckage the Equifax breach could result in, Levin believes that the only way to prevent another similar cyberattack would be to adopt a new mindset.

“Technology is not the solution to security. You have to create an environment, a culture of privacy and security within an organization. Everybody’s got to buy into it. Everybody has got to be at the top of their game,” he detailed.

“Every minute of every hour of every day, hackers are doing everything they can to constantly assault every database we have, looking for the mother lode. And this time, of all times, they really hit it,” the cybersecurity professional added.

Levin advised everyone to keep in mind the three M’s of data protection: minimizing the risk in the first place, monitoring your data and protection methods constantly and managing the damage when a breach does occur. He also said cybersecurity leaders should be constantly training to keep up with new threats and observe any internal vulnerability.

“People need to be monitoring systems. They need to be looking for vulnerabilities. They need to patch those vulnerabilities immediately. They need to be monitoring their vendors,” he told WND/Radio America. “In the world we live in, you are your vendor. If something goes wrong with a vendor that leads back to you or data that you have something to do with, it becomes your liability and your problem.”

He also recommended that IT professionals should keep a close eye on the outflow of data from their systems.

“You need to have systems that monitor data exfiltration,” Levin said. “Is an unusual amount of information leaving your system, or can you see someone crawling around your system and what can you do about it?

“Data needs to be encrypted. Security needs to be layered, so that even if someone gets into one level of a company, they can’t necessarily get into the most sensitive information held by the database of that company.”

Related stories:
Cyber risk top concern for reinsurers
Equifax cyber breach exposes data of up to 143 million people