In the latest in a truly blockbuster year for data leaks, American credit reporting company Equifax has announced the loss of highly sensitive data belonging to 143 million Americans. Nearly half the population of the US are thought to be effected. There have been much bigger breaches, but not with this quantity of sensitive information.
Public breaches like this are a reminder of how important it is for us a to think through the data we hold, how we protect it and what we would do in case of a breach.
Equifax is a US based credit reporting agency. They sell consumer credit reports about people like you and me to companies, based on this info they decide if we can afford that PCP deal we really need to have. With car dealership finance in the UK currently at £58 billion, the answer is probably going to be yes, but I digress.
So what kind of information can you get from a credit report? Like me you may have read your credit report recently, let’s think about what data a credit reporting agency hold on you;
Name, address, date of birth? Sure. Credit card details? Provider? Balance? How about how much you owe on your mortgage or credit card? I know mine has that info. Equifax mention driving licence numbers and Social Security numbers – important data for US customers. This is a historic data breach.
The impact of this data loss is almost unimaginable. Last week I suggested you check if your email accounts had been compromised and change your passwords if necessary. You can't do that so easily in this case. The potential for a tidal wave of impersonation/ social engineering attacks from this leak of sensitive data is great. Surely the main obstacle is how fast the bad guys can type in those phone numbers:
“Hi Is that John Doe? Hi this Alan Badguy from [your bank here] I’m ring about your credit card [name of card here] ending in [last 4 digits here]…. I see that your balance is around [last listed credit card balance here]…we would like to offer you an upgrade to our XYZ package… Great... if you could just confirm your ….mother's maiden name/pin number/ bank logon”
If I was running this as a social engineering training exercise, I wouldn’t choose this scenario because it would be too easy. Shooting fish in a barrel.
Ok. Enough rubbernecking at what is (for UK audiences at least) someone else’s car crash. Before we put our foot down and drive off as recklessly as before, let’s take a moment to think how we could prevent this happening to us.
Think about the information your company holds. Categorise it and decide what protection it needs. Unlike Equifax we (probably) don’t need the types or volume of data above.
A couple of the ICO's 8 data protection principles are relevant here:
3. Personal information must be adequate, relevant and not excessive.
Have an audit. Do you need to keep this information? Is it still relevant? Do you need detailed transaction records or could you aggregate it?
5. Personal information must not be kept for longer than necessary.
Depending on your industry you may need to keep information for a specified time. Have an audit to see you are meeting those rules and have a spring clean. Get old data off the network and deleted if possible.
7. Data must be secure.
The best way to secure your data is to encrypt sensitive information and backup and store offline information you don’t need readily accessible. In encrypted format.
Enforce least privilege. Staff only need access to the information they need for their roles. That way if an account is compromised, there are more barriers to data exfiltration.
The GDPR on data breaches:
In your preparation of the incoming General Data Protection Regulation you should make sure that you have the right procedures in place to detect, report and investigate a personal data breach. Running an exercise where you simulate a breach is the easiest way to go through your procedures, ensure they make sense and prepare yourself for an incident. It will be interesting to see how Equifax manages its public interactions over the weeks and months to come.
This emerging case is a reminder of the importance of proper data management. You can start to minimise the risk of this happening to you by thinking about what data you have and how and where you protect it. The ICO produces excellent material to assist you in doing this.
Make it a standing item on your agenda, pin a post-it note on your board or write the word “ Equifax” on the back of your hand.
Drive carefully now.