Simple vulnerabilities led to Equifax’s latest breach and the loss of the crown jewels - Our Data. This is its second breach of 2017 and third in the last two years. Let that sink in. Equifax knew about security gaps, chose not to close them, and put the identities of 143 million Americans up for grabs.
To prevent Equifax-like crises, executives and boards must:
Credit bureaus capture, store and sell our Personally Identifiable Information (PII). When were they explicitly granted permission to do so? Matt Blaze’s tweet was succinct - “Remember: having an Equifax record is 100% voluntary. Only those who made the choice to have ever participated in the economy are included.” Whose data is it anyway - ours or theirs? What, then, is the extent to which the credit bureaus are obliged to protect our PII? What is their duty of care? These questions ought to raise everyone's privacy and security hackles.
As with many publically traded companies, safeguards likely ate into profit. If companies are driven solely by profit is it surprising that securing our information is a low priority?
AFTER this breach was discovered, but BEFORE the public was notified, according to regulatory filings, three executives sold shares worth $1.8 million. An already trepidatious public perceives their actions as another example of profit and self-interest trumping duty of care and ethics.
In early 2017, Equifax was fined heavily for “deceiving consumers”. Patterns of unethical business practices create a culture that is not secure. Now, the breach they knew could happen did happen. Ethical businesses successfully balance corporate interests with consumers’ needs for privacy and safety whereas unethical businesses do not. Ethics matter.
Equifax’s data breaches indicate security breakdowns and they also point to other deeper struggles. Ethics, laws, and controls govern behavior. When they do not, failure is inevitable and potentially catastrophic. Security, corporate controls and ethics are not mutually exclusive. Much has been written about “security or risk-based” cultures, but a culture of integrity must exist first.
What caused the Equifax breach? Leadership. Leaders set the standard for their companies and employees. Despite what anyone says, the exploitation of vulnerabilities is symptomatic of a leadership breakdown. Poor leadership + bad ethics + misplaced priorities = the safety and integrity of 143 million individual's PII and data is gone and along with it, public trust.
Brian Keith is Co-Founder and CEO of CyberHive
The Service Provider Paradox -