Column: Equifax left unencrypted data open to Chinese hackers. Most big U.S. companies are just as negligent
All Americans should be alarmed that the Chinese government allegedly was behind the 2017 hack of credit bureau Equifax, resulting in the confidential personal information of about 145 million consumers being stolen.
But it’s worse than that.
Equifax basically left all our data out on the lawn for anyone to walk off with — the upshot of failing to encrypt the databases that store some of the most sensitive details of our lives.
And Equifax is by no means alone in such negligence. Most large U.S. companies similarly do not encrypt the data they take from customers.
“It’s frightening just how much of our data is floating out there in the clear,” said Ed Mierzwinski, senior director of the federal consumer program for the U.S. Public Interest Research Group.
“Encryption is a minimum current best practice, provided it comes with good security practices,” he told me. “You also need to hold companies accountable in the pocketbook. That’s an incentive that gets their attention.”
Atty. Gen. William Barr said Monday that four members of the Chinese military were behind the Equifax hack, accessing the names, birth dates and Social Security numbers of millions of Americans.
“This was a deliberate and sweeping intrusion into the private information of the American people,” he said in a statement.
“Unfortunately,” Barr added, “the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets and other confidential information.”
The hackers apparently exploited a software hole in Equifax’s servers. The company had failed to patch a coding vulnerability even though it knew for months that its data were at risk.
Marc Rotenberg, president of the Electronic Privacy Information Center, said this misstep on the credit agency’s part was the primary cause of the massive data theft.
“There were significant security problems in the Equifax breach, but it was more about the failure to timely install security updates and to monitor intrusions than to encrypt the data,” he said.
To be sure, the breach probably wouldn’t have happened if Equifax had kept its guard up. But the fact that its crown jewels — our data — were completely up for grabs once the hackers broke through is no less reckless.
According to the Justice Department’s indictment, the Chinese hackers (all reportedly members of the People’s Liberation Army) spotted the unpatched code and began a systematic “reconnaissance” of Equifax’s system.
“The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system,” the Justice Department said.
“In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and Social Security numbers for nearly half of all American citizens.”
Notably, the department said the hackers masked their incursions “by using encrypted communications.”
So the bad guys were using encryption to cover their tracks. But Equifax had no qualms about leaving all of that information unencrypted, readily accessible to any intruder.
Encryption is basically a way of turning data into gibberish unless you have a special key to read it. It’s the most effective way of keeping information secure.
Yet few large U.S. companies encrypt data because it adds another cost to their tech overhead and because it slows things down by imposing an extra step before data can be accessed.
One survey last year found that fewer than 30% of businesses encrypt information.
According to San Diego’s Privacy Rights Clearinghouse, more than 10 billion records have been accessed by hackers in roughly 9,000 security breaches since 2005.
As far as is known, few of those records were encrypted.
As soon as the hackers got their grubby mitts on our information, they were good to go. There was nothing to stop them from selling the data to others or using it themselves for acts of fraud.
“There is no way to 100% secure data,” said Scott Shackelford, an associate professor of law and ethics at Indiana University.
“An attacker with enough time, resources and sophistication can break into even the most protected systems,” he said. “But data encryption does make that process harder.”
Shackelford noted that the growing use of cloud-based data storage services run by the likes of Google and Amazon makes encryption more accessible to smaller companies.
But that assumes Google and Amazon are themselves encrypting. At this point, it appears they’re not, typically because clients don’t want it.
Last summer, Capital One revealed that the information of more than 100 million customers was stolen after a hacker penetrated a cloud server run by Amazon.
Again, it’s about keeping costs down and making sure databases operate smoothly. Clients of cloud-based services don’t want to have to jump through hoops to get their data.
As should now be obvious to all, that’s a pathetic excuse.
Everyone knows that privacy is an increasingly scarce commodity, and that people’s information travels far and wide — often without our knowledge or explicit approval.
But we don’t have to make it easy for hackers to rip us off.
If companies won’t do the right thing on their own, it’s time for our lawmakers to step up and force them to be responsible stewards of people’s information.
I’ll leave it to experts to flesh out details, but the bottom line should be that any company of a certain size — that is, large companies with the most data — should have to encrypt all customer records, regardless of any inconvenience this may pose to operations.
And to drive home the importance of security measures, there should be fixed penalties ($100 per victim, say) for any breach. This would get the attention of go-slow boards of directors.
We wouldn’t be the first nation to take this step. Last month, one of the world’s largest countries enacted a law promoting encryption as a data security tool and requiring that all government information be encrypted.
Which country was this?