The Equifax data breach, which has leaked critical personal information including Social Security numbers and birth dates on an estimated 143m Americans, as well as Britons and Canadians, is one of the largest ever, both in scale and the importance of the data stolen. So what lessons can we – and must we – learn from this demonstration of individual powerlessness in the face of data theft?
- Honeypots of data are hugely attractive to hackers. We know this, it’s common sense – and yet still we are persisting with the centralising of personal data rather than returning it to the individual. Putting each of us in control of our own personal data, so we can choose when and with whom it is shared, is all that makes sense.
- When our data is sold from behind our backs, we don’t know who has it. The nature of Equifax’s credit-scoring business, which takes data from a number of sources to help other companies assess creditworthiness, makes it hard to assess whose data was stolen – and for individuals, whether they were involved in the breach. Again, so much better to have individuals as the hub of all their data, sharing it with insurance companies, for eg, when needed, or letting algorithyms run over the data on the phone and just return the result, in what we at digi.me call private sharing.
- When our data has been breached by a third party, we’re reliant on them to tell us. Equifax has set up a website for people to check if their personal details were part of the breach, but there have been widespread reports of the site returning different results for the same data. It also requires a Social Security number, making it useless for anyone outside the US. Not to mention the fact that the breach took weeks to come to light, potentially giving the hackers time to use the information they had stolen before its owners even knew it was gone. We are not in control of our own data, which is created by us. That model – where our data is used for profit by others – needs to change.
- Those involved are at significant risk of fraud for years to come. This is not an email breach, where the people involved can simply change their passwords and (largely) put a stop to the damage. The information stolen, which also included addresses, drivers licence details and credit card numbers, means those affected are at significant risk of identity theft – and will be for years to come. We must use breaches such as these as drivers for change – otherwise nothing will change.
- Finally, and possibly most scary of all, we don’t know what this means. We don’t know if this hack will translate into increased levels of theft and fraud, or whether other information held by similar credit-scoring companies is any more secure. Or, indeed, whether Equifax will be punished for this breach.
What we do know is that trusting others with our personal information has seen it leaked over and over again. The fundamental method of personal data management must move back to the individual from central stores. And until it does, massive breaches of this scale, and the subsequent hassle and problems caused to those the data actually belongs to, will continue. Regulation has a part to play, but so too does consumer behaviour – and we need to be clear that this is not ok, on any level.