There has been a huge uproar this week after Equifax lost around 143 million records of their customers to hackers. The information stolen has the potential to be incredibly damaging given its highly sensitive nature and repercussions for those impacted. However, this alone does not set it aside from some of the other huge data breaches over the past few years, Yahoo, for instance, lost the account information for 1 billion people in 2014, around 6 times more than the Equifax loss.
So what is it about this hack that caused Jon Lovett, a former speech writer for Barack Obama and Hillary Clinton to say ‘what exactly does it take for a company to get the death penalty?’, arguing that the company should be shut down because of their negligence and selfishness in this matter?
Firstly the loss of data by Equifax is a huge issue because very few people have consciously given consent to Equifax to hold their data, the agreement to do so is most often through 3rd parties who include the fact that data will be shared with Equifax often deep into multiple page small print. Given that conscious consent often has never been given (it is perhaps more accurate to refer to it as technical consent) the security of this highly sensitive data should have been higher than almost any other company in the world, but instead was proven to be wholly inadequate.
However, either deliberately doing nothing or being ignorant to the level of security needed is not the main issue that has angered so many people, rather it is the response.
Equifax found out about the hack a month before they released the information to the public through social channels, without making the release easy to find for the majority of people. Within this month, company leaders offloaded huge amounts of stocks, with three executives alone selling $2 million worth of stock between them before it dropped 20% after the announcement. Given that the actual statement sent out had a large number of grammatical mistakes in addition to taking an incoherent and rambling tone throughout, it gives the impression that the company cared more about individuals saving face and money than doing what’s right.
In what was claimed to be a way for people to see if they had been impacted by this leak, the company offered a site for them to check by inputting their social security number. However, rather than giving any answers to whether or not an individual’s details had been leaked, they were given the option for free enrolment in its TrustedID Premier monitoring service. This service, however, contained a clause that prevented people from joining a class action lawsuit, whilst providing very few details or help to individuals.
The really shocking element of how this has been dealt with is that it’s unfortunately not a new phenomenon. We’ve seen from well publicized hacks on Target, Yahoo, eBay, and Myspace that there are ways to deal with these kind of situations. Rather than spending the month after they found out calculating the best course of action from these examples, they instead appear to have attempted to insulate themselves from legal responsibility and individual financial loss. Given the huge damage this could do to them, it seems like a relatively trivial thing to concentrate on.
One of the most frustrating things for people is that despite the clear wrong that Equifax has done in this situation, because of their third party status in transactions with those who’s data was lost, it will end up doing less damage than it should. There are three huge credit agencies and companies cannot afford to not use them, so despite the 20% drop in stock price, their actual income is unlikely to be affected.
This kind of situation is why GDPR is going to be so essential, as it will make sure that the kind of security failures that we’ve seen at Equifax aren’t ignored, then manipulated to attempt to minimize the impact. According to TechCrunch, if this attack had happened 12 months later the company would be liable for a bill of £45 million. Due to the global nature of companies like Equifax, they may be US based, but still need to be GDPR compliant due to the millions of people from Europe within their database.
If you look at the 10 largest hacks in history, each involve truly international companies who would need to conform to GDPR. The top two hacks both come from Yahoo, in 2013 and 2014, with Tumblr (in 10th spot) also falling under the same umbrella company. If they had the kind of punishment that GDPR will bring at the time of the first hack, the chances of the other two occurring would likely be significantly diminished. It is why GDPR is going to be such an important law moving forward and will hopefully see fewer incidents like we’ve seen over the past week at Equifax.