Month: October 2017

Equifax and the House of Cards

By: Jennifer de la Chevotiere

In our last tech article, we talked about how advancements in tech are markedly outpacing law and that this is leading to many businesses adopting new tech and applying it with a feeling of impunity.

And unfortunately, this hubris is leading many companies to make decisions that benefit financial gain over proper security. Today, we’ll dive a little deeper into this concerning trend by exploring the latest major hack to hit the news: Equifax.

To give you a quick recap, Equifax is a credit reporting agency that experienced a data breach in the summer of 2017, which went unreported for approximately 6 weeks and compromised personal data of roughly 50% of Americans.

Since the hack, Equifax has been subject to several further scandals, including allegedly using “admin” as their login and password to access valuable information in their systems in Argentina according to BBC News (unrelated to the US hacks), and sending their own customers to a phishing site, rather than the site they set up to help concerned customers following the hack.

These basic missteps are even more concerning when considering the fact that Equifax sells themselves on the promise of security. They even promote their own software products to assist other companies in protecting themselves against data breaches.

Unfortunately, whether you think you’re a customer or not, If you live in the US, there’s a good chance Equifax has at least some of your data. Because, “As a credit reporting agency, Equifax gets information from credit card companies, banks, lenders, and retailers to help it determine a person’s credit score.”

And not only do they buy your data, they scour the web to pair other readily available information with the profiles they’ve purchased.

For example, according to the New York Times, Equifax has created programs to search keywords on twitter like “car” and “automotive lease” to compare to existing credit files. They use this to find potential car buyers and sell the information to those selling car leases.

So how did things get this way?

First, there’s a lack of choice.

Companies that buy from Equifax depend on that information to keep their own businesses running smoothly. “The Data, over which Equifax and the other bureaus have a stranglehold, is one of the best predictors of risk.”

Because of this dependency, companies that rely on this kind of data don’t feel they can opt-out and stay competitive. Instead, they’re forced to make a choice between the three agencies in the US: Equifax, Experian, and TransUnion.

And without major competition, these agencies are able to focus on creating more products to sell, rather than the quality of their operation.

Next, is a lack of oversight.

While the Fair Credit Reporting Act aims to protect the accuracy and privacy of the information included in credit reports, it does not limit the type or amount of information collected (as long as it is accurate) and does not limit sales to other agencies.

So, there is nothing stopping a credit agency from collecting mountains of information without the explicit knowledge or permission of the individuals involved and selling it to the highest bidder.

The result is a system where credit agencies are free to focus on making money, while their customers and the individuals impacted are relatively helpless to make any meaningful changes.

In industries like this, where the adoption and implementation of new technology not only outpaces the law, but outpaces time for reasonable security measures, situations like Equifax are bound to continue.

This is the point where we would usually give a bit of advice about protecting yourself online, but this time, we’d like to hear from you about changes in regulation you’d like to see to keep up with tech or any other thoughts you have on this topic.

Let’s take this conversation to Twitter!

You can tweet us @expertdepos and/or use the hashtag #expertdepostech