We often hear horror stories about cyber crime and the potential effects that a cyber crime can have on a company. We hear the stories, but see few examples.
This doesn’t mean that cyber crime does not occur. There are many instances where cyber crime is committed, and not reported on by the media. This is a problem, we need to hear these stories.
The Equifax saga
Equifax is a consumer credit reporting agency, much like Trans Union. The company has sensitive information about members of the public who make enquiries about the amount of credit that they qualify for. Information that the company has access to includes social security numbers, names, birth dates, addresses and in some cases, drivers license numbers.
In September, the company reported that it experienced a data breach in July where cyber criminals accessed the private information of an estimated 145.5 million US citizens.
Equifax also confirmed at least 209,000 consumers’ credit card credentials were taken in the attack. It is also believed that UK and Canadian citizens may also have been affected.
While this is a US example, South African companies cannot sit back and rest on their laurels thinking that this would never happen to them; especially when we look at the potential culprit in the Equifax saga.
The New York Times website reported that a former Equifax CEO told a hearing into the matter that the information was leaked because of a mistake made by a single employee.
The article points out that on multiple occasions, Richard Smith – who stepped down as Equifax CEO at the end of September – referred to an individual in Equifax’s technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.
The article added that angry members of the committee tore into Smith and pressed him on how a credit bureau of Equifax’s size, responsible for safeguarding billions of sensitive records on Americans’ financial lives, could have allowed so much data to escape, unnoticed.
The scary thing about the Equifax saga is that, if reports are to be believed, the cyber breach occurred in one night and happened because of an unpatched piece of software that allowed cyber criminals past the company’s firewalls. The sensitive details of nearly half of the US population was stolen in a single night.
So, the first lesson we can learn from the Equifax saga is that every single company that deals with sensitive information needs to increase the vigilance of the systems and processes that protect this information.
The second lesson we can learn is that a company’s response to a breach such as the Equifax breach is very important. An article on fortune.com points out that when Equifax finally discovered the disaster, its first response was not to warn consumers.
The article added that after waiting nearly six weeks before disclosing the breach in September, it hatched a strategy to turn its victims into paying customers by signing them up for credit monitoring services, which originally contained fine print depriving them of the right to sue.
Where was the protection?
In the world’s largest economy, a country that prides itself on the protection and democratic rights that it offers its citizens, where were the laws that protects the public’s right to protection of their private information?
An article on hg.org points out that the Data Protection Law deals with the security of the electronic transmission of personal data. The article adds that to date, the United States does not have any centralized, formal legislation at the federal level regarding this issue. It does however insure the privacy and protection of data through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act.
What does this mean for SA?
What does the Equifax saga mean for the South African financial services industry?
The lines between the haves and have nots in South Africa is much more sensitive than in the US which has a much larger middle class. If identity fraud is committed in South Africa, certain members of the public stand to lose everything with very little possibility of recovery.
Where to now?
So where do you go now if you were affected, or even unaffected by the saga?
An article on freep.com points out that Adam K. Levin, chairman of CyberScout, said the reality is that increasingly, we’re being forced to look over our shoulders for the rest of our lives. “Tons of Social Security numbers, the skeleton key to our lives, are out there for cyber criminals to steal and exploit,” Levin said.
He said consumers should re-examine their passwords and make them stronger, check bank accounts and credit card statements frequently, and check on other ID protection services that might be offered through their employers or financial institutions.
While it’s hard to know the full dimensions of the Equifax breach, it’s important to understand that the most sensitive information for more than one-third of American consumers could have been exposed to cyber criminals, Levin said.
The crown jewels are at stake
The article added that John Ulzheimer, a credit expert who formerly worked for credit-scoring company FICO and credit bureau Equifax, said Social Security numbers, names, dates of birth and addresses are “the crown jewels of information for credit fraudsters.”
“It’s everything you need in order to apply for credit,” Ulzheimer said.
The article adds that much of that information will be just as valuable in five years as it is today, he said, because you’ll have the same name, Social Security number and date of birth. “And you’ll likely be at the same address,” Ulzheimer said. “I’d much rather have someone steal all of my credit cards than steal my personal information.”
Equifax said the “unauthorized access” took place from mid-May through July 2017. The company said it found no evidence of unauthorized activity on its core consumer or commercial credit reporting databases.
Equifax said criminals exploited a U.S. website application vulnerability to gain access to certain files.
Equifax said it discovered the hack on July 29, even though the company only announced it now. Watch the snail mail for the letters telling you you’ve been compromised, too.
Equifax said in its news release that it will send direct-mail notices to about 209,000 U.S. consumers whose credit card numbers were accessed, as well as to about 182,000 consumers who had sent documents disputing some information relating to their credit reports.
Don’t be lulled into thinking this is just another hacking headline.