How to Explain the Equifax Breach? Start with the Culture

According to IBM's 2017 Cost of Data Breach Study, the average cost of a data breach is $3.62 million and the average cost for each lost or stolen record containing sensitive information is $141.
According to IBM's 2017 Cost of Data Breach Study, the average cost of a data breach is $3.62 million and the average cost for each lost or stolen record containing sensitive information is $141.
 
 

On the surface, Frederic Lemieux reacted like many others to the news that Equifax, one of the nation’s three credit card reporting agencies, suffered a major network breach that allowed hackers to access the personal records of up to 143 million Americans.

“How could you not see this coming?” the cybersecurity expert asked in an interview. “How could you not be more careful? How could you not be more ahead of the curve?”

But his questions are, in large part, rhetorical. In fact, Lemieux, the faculty director of Georgetown University’s graduate program in Applied Intelligence, has a pretty good idea of how the company failed in its most basic mission, and it has a lot to do with lax government regulation, a lack of consequences when mistakes happen, and a corporate culture of what Lemieux calls “passive complicity.”

To begin with, unlike banks, credit reporting agencies are only lightly regulated. The agencies responsible are the Federal Trade Commission and the Consumer Financial Protection Bureau. Yet, like banks, these companies are entrusted with some of consumers’ most private information—including names, birth dates, home addresses, and Social Security numbers.

All this can be used to “steal” victims’ identities and savings, block them from taking out loans—even impede their access to prescription medications. It’s a lucrative, worldwide business that only grows bigger and more sophisticated as the volume of personal data expands.

“It’s like a black market of identities,” Lemieux said.

A Growing Threat

Why wouldn’t companies like Equifax take extraordinary measure to ensure this doesn’t happen?

“There is no incentive to comply with the best industry practices, and no incentive to spend on this because you’re not accountable for it,” Lemieux said.

In other words, credit reporting agencies and other businesses that have been hacked do not face the same consequences—legal and financial—that individuals do. Lemieux points to the breaches at Target in 2013 and Home Depot the following year. While a huge headache for these businesses, the financial repercussions of falling stock prices and lost business were only temporary and marginal. He expects the same outcome for Equifax: It is simply too big and integral to the nation’s economy.

With the Equifax breach, Congress may revisit the regulation of Equifax and the two other consumer credit companies, Experian and TransUnion.

Such new scrutiny, coupled with the growing threat of cybercrime in general, will only increase the need to train more experts in cybersecurity. In Georgetown’s new graduate program, instructors emphasize different skills than typical programs in technology, which focus more on the myriad issues that go into making networks work smoothly than on protecting them from attack. The latter imperative requires a different approach, Lemieux said—a more wide-ranging, analytic, and conceptual thought process that requires thinking outside the box

Prevention and Response

So what should companies like Equifax be doing? Before any breach occurs, they should be regularly performing two types of prevention: internal and external, Lemieux said. Internal prevention involves “scanning” the system to find traces of intrusion or any suspicious activities. A breach could reveal itself through an unexplained “traffic” on the network or traces of data leaving the system unexpectedly.

With external detection, security experts put themselves in the position of would-be hackers, searching for network vulnerabilities that could be exploited.

Finally, if a breach does occur, students at Georgetown learn how to analyze the overall modus operandi of the hackers, find possible entry points used to get into the system, and examine the type of malware that may have been embedded.

“That can provide a profile of the offender and the threat—and it’s what our students are doing,” Lemieux said. “These analyses can give you a good idea of how to better protect yourself the next time around.”

Request Information