This week, news broke that an Equifax data breach may have allowed the personal details of 143 million U.S. consumers to be accessed by hackers. This included names, birth dates, Social Security numbers, driver’s license numbers and credit card numbers.
To put things in perspective, the U.S. Census Bureau estimates the current U.S. population to be just over 323 million people. That means this enormous breach of personal information impacts more than 44 percent of Americans.
As data professionals, a security event of this magnitude compels us to ask ourselves whether or not Equifax could have prevented such a breach, so that we may move the industry toward more secure practices.
Could the Equifax data breach have been prevented?
The answer to this question depends on who you ask. If you ask us, the Equifax data breach could have absolutely been avoided. Surely, if you were to ask a representative from Equifax, the response would be quite different.
The U.S. credit reporting system, which is heavily governed by regulators and legislation, requires that financial institutions and some other businesses that require our personal information to function provide this data to the national credit bureaus in order to accurately determine which consumers should be granted access to credit, housing, employment or other services.
In this sense, it is unavoidable for the national credit bureaus to operate without having access to every citizen’s personal details. However, the technology already exists for this process to effectively continue without companies like Equifax retaining all of our information for hackers or fraudsters to steal.
Security measures are not always enough to prevent a data breach
As one of the few companies trusted by our government to handle very sensitive information, Equifax and other credit bureaus implement the highest security standards of any public organization in the country. It is often the assumption when a data breach of this magnitude occurs that the company involved was negligent or adopted subpar security standards.
The unfortunate truth is that security standards – no matter how comprehensive – will always fall closely behind the progressive strategies of hackers and fraudsters. By nature, security technologies are built to address the most immediate risks and needs of companies while taking an educated guess at future risks.
In short, there will always be an elite group of hackers scheming the next trends in data theft; and security measures may never catch up with them.
How can a data breach be avoided beyond security standards?
For hacker-driven initiatives like the Equifax data breach to truly be avoided, data-intensive industries must stop the practice of pooling large quantities of very valuable information in one place. If you keep all your valuables, cash and jewelry in a safe or jewelry box in your bedroom, then that is the very first place a robber will look when breaking into your home.
In the Big Data industry, we refer to the abatement of this practice as data minimization. That is to say an organization only collects, uses and stores the data necessary to complete a required function. Once the data is no longer important to the function, it is destroyed or deleted.
The U.S. credit reporting industry simply requires that a bureau be able to confirm both the existence and status of relevant accounts to determine whether or not an individual has a strong, weak or nonexistent history of repaying debts and fulfilling obligations. Currently, this is possible because every financial institution sends regular updates to the three national bureaus regarding our accounts. Bureaus then generate revenue by repurposing this data for additional services.
However, this information does not necessarily need to ever leave your bank’s network. The technology exists today for credit bureaus and other similar data-driven organizations to confirm or validate necessary data points without ever seeing or retaining sensitive information. Through APIs and real-time data access technologies, a bureau could easily match minimal account data to determine whether an account exists and its history of payment without retaining more than a “yes,” “no,” “30 days past due,” “60 days past due,” and so on. Apart from removing storage of every citizen’s information from the bureaus, this would allow much more up-to-date account information to inform credit and fraud score models.
You can decide for yourself whether or not the risk is worth the effort.