There is a lot of press about the recent Equifax hack that exposed 143 million records, mostly of Americans, although some Canadians and Brits were also affected. The shares of the company plunged by as much as 18%, and condemnation on the company’s handling of the incident continues to mount.
If you’re one of the top data aggregators in the world, having a corresponding world-class cybersecurity program is expected. I am sure that following the several class-action suits we’ll find out exactly how good their cybersecurity program was.
Its initial efforts, spinning up a support website under a different domain name “equifaxsecurity2017.com” (a common trick of hackers to fool users into providing confidential information), does not make for an auspicious beginning in incident response handling!
Be that as it may, the headlines will eventually subside, the concerned consumers will be lulled into a false sense of security by the one-year free credit monitoring offer, and, in no time at all, this will be just another entry on the “top ten hacks of the year” slide used in cybersecurity awareness presentations.
The truth: None of this really matters. Why? Because all the Equifax hacked data was already out there. To be sure, it may have been fragmented, it may not have been as normalized as this set, etc., but it was there. Available for all to use. Anyone who desires only needs to bring their wallet to purchase nearly limitless consumer data with a credit card, no questions asked.
I’m not just talking about the thousands of records on the dark web databases available for sale to nefarious actors; I am talking 100% legitimate business transactions. Above board, and with your data as the prime product.
Have you heard of Acxiom? Perhaps you’ve heard of qDatum? No? How about Dawex, Quandl, or xDayta? Nothing? They are examples of data aggregators. The list of such companies is long. For example: Azure Marketplace, dataexchange, datamarket, datastreamx, Dawex, DMI, Experian, infochimps, Lotame, Neilsen/Exelate, Oracle Data Cloud, qdatum, Quandl, and xdayta, to name a few. These enterprises collect data from all sorts of sources, correlate, normalize, and sell them back. What are those sources?
Let’s see… How many free services do you personally use? Make a list. Those are some of the sources for the data aggregators. Facebook, Instagram, Google, and every app or service that you use for free (and several that you pay for!) are collecting your data and either selling it, or using it “to serve you better!”
You didn’t think Facebook was providing you with a multi-million-dollar platform because of your good looks and charming personality, did you? Were you under the impression that you were Instagram’s client? Just a Google user? Not in the slightest. You, and all your data, are their product.
These are not the only sources of information for these aggregators. You noticed, for example, that Experian is on the list. Where do they get most of their data? Your credit card company, your bank, and even your employer.
Don’t stop there, what about your insurance company? Your pharmacist? Even your super-secret-double-cone-of-silence medical records can be a source, “anonymized” of course! Until the anonymous data hits the aggregator. Then, a simple correlation of patterns, and you might as well have sent them all the data yourself, eponymously, signed, sealed, and delivered.
That is why the Equifax breach doesn’t matter. Your data was already out there! Available for purchase, ready for use! What use? From “benign” targeting of ads, to identity theft. And if your question is, “Well, how come I haven’t been affected yet?” The answer is simple: There are millions upon millions of records out there! You haven’t been affected yet, because the list is so long, it scrolls to Spain. Don’t worry! Sooner or later they’ll get to you.
Depending on who’s using the list, for what reason, and from where it was “procured,” it may take anywhere from days to decades before your name becomes the target du jour.
What can you do about it? First, you need to recognize that all your data – and I mean ALL YOUR DATA – is already out there and available. Second, you need to make peace with the new privacy paradigm. Getting upset that your privacy has been violated, is like arguing with the weather. It will rain regardless. Third, you need to own the responsibility of protecting your identity, digital and otherwise. You must either enroll in a reputable Identity Protection monitoring service (for example, a small sample, alphabetically, includes: IdentityForce, IDWatchdog, Lifelock, PrivacyGuard, or TrustedID, among many others), or take it upon yourself to monitor all your account activities, across all institutions that you do business with.
My advice: Do both! Use a service and personally monitor your activities. Remember: You can outsource the responsibility of monitoring your digital footprint, but you are still accountable for it. If a false loan is taken out using your credentials, the service may help you, but they will ultimately “be very sorry for your loss” as you are left to dig out of the mess!
Finally, be aware. Be aware of the threats, be weary of “free,” be sensitive to how, where, and what you disseminate willingly. No one is a better steward of your life than you. Digital, or otherwise.