Data Minimization: The Main Lesson from the Equifax Hack
Equifax, the credit reporting company, announced on Sept 7th that hackers gained access to more than 143 million customers’ information, including names, date of births, social security numbers, addresses, and driver’s license information. Consequently, hackers have access to all the information necessary for identity theft and fraudulent transactions. This hack will cost Equifax customers and its stockholders not only a significant monetary loss but time and inconvenience. Class lawsuits against Experian will add to these costs.
While there have been other larger data breaches such as the Yahoo hack that compromised the information of 1 billion users, no other hack compares to the impact of the Equifax hack since it compromised highly sensitive financial and personal information of their customers. It is not clear yet that what caused the Equifax hack, but it already been the subject of speculations and many cyber security professionals blamed outdated data protection system.
It is important to investigate the reason behind the Equifax hack, however, the main lesson here is to reevaluate the structure of data security and data management. Large databases with sensitive information such as the data stored by credit reporting companies are tempting for hackers. That is why the other two credit reporting agencies, Experian and TransUnion, have reported intrusion to their system in the past. Even the most secured data valves are not completely secure against cyber attacks, it is only a matter of time for the hackers to access them.
The ultimate solution is Data Minimization. Personal and sensitive information is a liability for a company, yet companies such as Equifax gather a significant amount of information from their customers and they remain reckless custodian of all this information. There is no government regulation controlling the amount and type of data the companies can collect and companies that profit from the sale of data, such as data brokers, who do not dispose old data nor have the incentive to carefully handle data. This means there are large valves of sensitive information sitting on cloud or servers in different companies waiting for an inevitable data breach.
It is essential for companies to have a smart data management system with multiple layers of protection and encryptions, to detect their vulnerabilities, to recognize an intrusion to their systems fast and have a plan to react to possible data breaches. It is more important to reevaluate what data they are collecting and consider the “less is more” approach. This is especially important in the data broker industry, such as credit reporting companies. Collecting and storing large amounts of sensitive information put these companies in significant risk of data breach.
It might be time to also reevaluate the structure of authorization and authentication. In the age of big data, customer privacy is suffering. Financial industry still relies on sensitive information such as social security numbers, mother’s maiden names, addresses, and passwords to authorize and authenticate users and then collect and store this sensitive information. Data minimization is about limiting personal data collection and storage and considering if that data is relevant, adequate, and even necessary. The best we can hope for after the Equifax data breaches are for companies to learn and rely on smart data collection and management and avoid future costly cyber attacks.
There are cyber security solutions in the market that not only practices data minimization but further eliminates the need for storing sensitive credentials. Learn more about NoPassword here.
Author: Bam Azizi