Equifiasco: what will happen next, and what should we do?

Let’s step back from the future of education for a moment and consider one of the biggest technology stories of the week: the spectacular Equifax hack.   To do so let’s keep thinking about the future, and where this could go.

Simply put, what’s next?  And what can we do?

To recap: Equifax was hacked, and responded in ways that seem to make things worse.  In July Equifax discovered a breach so vast that it “potentially impact[ed] approximately 143 million U.S. consumers [as well as] some Canadians and up to 44 million British residents”.  The US FTC says the attack began back in May.  The exposed data included birthdates, Social Security numbers, driver license numbers, and more.  PIN numbers might be in there as well, but Equifax isn’t saying.  All of which is horrendous, making this one of the worst hacks of the digital age.

As Bill Black puts it,

The experts in cybersecurity say on a scale of 1 to 10, where 10 is the worst, that this is a 10, and it’s almost comically bad. It’s another demonstration of our family rule that it’s impossible to compete with unintentional self-parody, and that’s certainly what the executives of Equifax have demonstrated in this scandal.

Equifax Don't let id theft catch you

From the Equifax main page just now.

Then it got worse.  Because Equifax made things worse.

Notice the July date.  Equifax didn’t decide to tell us about the hack until September 7th.

Here’s how they announced it:

“recently”, as in more than a month ago.  So the damage was done and available for exploitation for around four months. More than a business quarter.   Plenty of time for some executives to sell shares, of course.

Once they came clean, Equifax launched a website wherein customers could check their information exposure.  Said site returned unreliable information.  The site was also insecure, which is bitterly ironic (Wikipedia: “So extensive were the security flaws with the website that Open DNS blocked it on the assumption that it was a phishing site”).  equifaxsecurity2017.com also offered a coupon for free credit monitoring, which really sounds like a joke at this point.  (Bloomberg: “thieves could just sit on the information for 12 months and then start exploiting the data”)  To add injury to insult to injury, for several days the site required users to waive their rights to sue Equifax.

They set up a phone line, which didn’t work too well.

Even worse, Equifax still hasn’t fixed the breach.  As a brilliant Ars Technica column observes,

The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.

Equifax’s PR Twitter account gently rephrases this as “challenges”.

Equifax: New To Identity Theft?

I just might be, thanks to you guys. (Actual graphic on Equifax.com)

There is some splendid irony in a company in charge of financial probity for hundreds of millions of people fouling its own nest so badly.  As Cory Doctorow put it,

Equifax is in the business of helping employers and financial institutions punish people for making oversights in their business and financial affairs. Being late with a single payment or missing a single bill can constitute a black mark on your Equifax records that lasts for years or decades, affecting your ability to rent or buy a home or get a job.

By contrast, Equifax expects its stakeholders — whole nations’ worth of people — to overlook its gross misconduct.

Others have observed that Equifax has suffered breaches previously, and not responded like a good actor.

So what can we do?  Over the past week we’ve learned one thing not to do, which is to trust Equifax.  As an Inc.com column asks, “Now that Equifax has potentially suffered what may be the worst ever data breach as far as impact on American consumers, please clarify what Equifax was doing to make it “a leader” in protecting data.”

That leaves us… in a kind of wilderness.  We might be on our own. Forbes – not exactly a Marxist outlet – offers useful DIY advice for individuals acting in isolation. Ditto the New York Times.  The US FTC proffers related advice, plus the laughable recommendation to keep trusting Equifax.  CNN naturally advises us to be scaredBloomberg notes the vague possibility of state and federal investigation (which is probably why Equifax backed away from the lawsuit waving thing) and law-making (including maybe this one), plus the likelihood of individual or class action lawsuits to come.  None of which helps us now, as Equifax continues to leave hundreds of millions of people’s data exposed, and treats customers like friable dirt.

So what happens next?

This could be a historical break point, a digital security watershed, one of those straws-upon-the-camel’s-back moments when pent-up desires explode and powerful forces kick into action.

If we look at this as a market event, it’s a terrific opportunity for other firms to leap in and grab grateful Equifax ex-customers.  I don’t know how TransUnion, Experian, and others are reacting, but they’re certainly making the right noises.  From the very top of Experian’s main page just now: “Concerned about the Equifax® data breach? Find out how Experian can help.”  Prominently displayed on www.transunion.com: “Consumer Alert: If you are concerned about the Equifax® breach we can help with ways to protect your identity… Learn more.”  I don’t know of any entrepreneurial moves from businesses beyond established players.

If we think of this in terms of technology, we could view the Equifax debacle as another argument against the current form of consumer data protection (passwords, PINs, etc.) . Maybe now is the time to kick off a new wave in security.  That would lead to (say) widespread adoption of biometrics, or some migration to blockchain, or other forms.

If we adopt a critical theory perspective, well, all kinds of analyses open up.   From the Marxist angle we could see this as typical behavior for a financial company in heavily financialized late-stage capitalism.  We could add that it makes clear that most companies not only build business upon our privacy (Wolf Street’s concluding reminder: “you’re not their customer; you’re their product”), but clearly don’t care enough to protect that data.  We could bet that governmental action is likely to not solve the problem, given regulatory capture and other close ties between state and capital.  From a left anarchist viewpoint we might look to co-ops or other mutual aid organizations for credit security – are there any?

If, on the other hand, we take a more liberal or centrist progressive stance, we could anticipate a greater role for state and especially governmental action to address this problem.  At the very least the Consumer Finance Protection Bureau can take steps and urge greater action.  (They’ve already published a helpful guide.)  Other regulatory bodies could expand their roles.  More from Bill Black:

you’re going to have to actually have regulatory disclosure requirements. You’re going to have to have an office at the federal level that is in charge of investigating these kinds of breaches, like when a plane crashes. Find out what the hell happened, publish it, so that people know and draw generalities in terms of here are the kinds of exposures to look at. Even if you breach a company, they should never be able to come away with the crown jewels as they did at Equifax, much less the crown jewels on 142 million Americans.

New laws could be put forward.  Depending on your analytical lens, you might hope for some Congressional bipartisanship on this score, or despair wait for a new Congress in 2019, as the GOP will likely oppose most of these hypothetical measures.

If we think of this Equifax fiasco in light of the history of technology, maybe this is one of those tech disasters that makes us reconsider the whole enterprise, like Three Mile Island did for American atomic energy.  Perhaps so many of us – and so many decision-makers – will be so galled that we step back and wonder if we’ve been doing the right thing by trusting our private data to firms like Equifax.  Maybe some will recommend a turn back to paper (I have heard this in my work, regularly, since the 1990s), or a shift sideways to a different technology (see above).

Or maybe I’ve misidentified the moment, and nothing major will transpire.  Equifiasco will be like the Sony hack, and will simply become a minor detail of contemporary folklore.  Stuck, lacking options, bereft of political options, we’ll take our lumps and resume normal activities.  Seeking Alpha thinks the market lets companies bounce back from heinous security breaches and bad customer relations.  Econintersect agrees. Even Bloomberg sourly speculates that :

the likeliest possibility: nothing at all happens, but in a year when the free term expires, we’ll feel compelled to start paying $20 a month to renew Equifax’s security blanket or sign up for LifeLock. Right now, that feels almost like a ransom to companies that hoard our personal information but can’t or don’t care enough to protect it.

…I’m bitter….

What do you think will happen next?

(thanks to Steven Kaye,  Mike Sellers, Martha Fay Burtis, and others for help with links and ideas)

Liked it? Take a second to support Bryan Alexander on Patreon!
Become a patron at Patreon!
This entry was posted in technology. Bookmark the permalink.

One Response to Equifiasco: what will happen next, and what should we do?

  1. Pingback: On the solstice, dark thoughts for 2018 | Bryan Alexander

Leave a Reply

Your email address will not be published. Required fields are marked *