Schneier on Equifax

Source: Security Now!

Okay.  So last week our often-quoted guru and security expert and crypto person whose books I have behind me on my shelf, Bruce Schneier, was asked to testify before the House Energy and Commerce Committee on his feelings about the Equifax hack.  There is on his site - his current blog is, S-C-H-N-E-I-E-R dot com - there's a link to the video of his testimony, if you want to watch it.  But I want to share some of the points he made because they were good.

And he starts out a little bit with his CV:  "Mr. Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data.  My name is Bruce Schneier, and I am a security technologist.  For over 30 years I have studied the technologies of security and privacy.  I have authored 13 books on these subjects, including 'Data and Goliath:  The Hidden Battles to Collect Your Data and Control Your World,' published in 2015 by Norton."

He says:  "My popular newsletter Crypto-Gram and my blog Schneier on Security are read by over a quarter million people.  Additionally," he says, "I am a Fellow and Lecturer at the Harvard Kennedy School of Government, where I teach Internet security policy, and a Fellow at the Berkman Klein Center for Internet and Society at Harvard Law.  I am a board member of the Electronic Frontier Foundation, Access Now, and the Tor Project; and an advisory board member of Electronic Privacy Information Center and  I am also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient."

So obviously he's got a beautiful CV that demonstrates to these guys who have no clue which end is up that this is a guy whose opinion is informed.  He says:  "I am here representing none of those organizations and speak only for myself based on my own expertise and experience.  I have eleven main points."  And I'm going to skip them toward the end, but I want to share the main salient ones.

He says:  "One, the Equifax breach was a serious security breach that puts millions of Americans at risk."  We all know that, but he wants to establish some ground.  "Equifax reported that 145.5 million U.S. customers, about 44% of the population, were impacted by the breach.  That's the original 143 million plus the additional 2.5 million disclosed a month later.  The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver's license numbers.

"This is exactly the sort of information," Bruce says, "criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies, and other businesses vulnerable to fraud. As a result, all 143 million US victims are at greater risk of identity theft, and will remain at risk for years to come.  And those who suffer identify theft will have problems for months, if not years, as they work to clean up their name and credit rating.

"Two, Equifax was solely at fault."  He says:  "This was not a sophisticated attack.  The security breach was a result of a vulnerability in the software for their websites, a program called Apache Struts.  The particular vulnerability was fixed by Apache in a security patch that was made available on March 6, 2017 and was not a minor vulnerability.  The computer press at the time called it 'critical.'  Within days it was being used by attackers to break into servers.  Equifax was notified by Apache, US-CERT, and the Department of Homeland Security about the vulnerability and was provided instructions to make the fix.

"Two months later, Equifax had still failed to patch its systems.  It eventually got around to it on July 29.  The attackers used the vulnerability to access the company's databases and steal consumer information on May 13, over two months after Equifax should have patched the vulnerability.  The company's incident response after the breach was similarly damaging.  It waited nearly six weeks before informing victims that their personal information had been stolen, and that they were at increased risk of identity theft.  Equifax opened a website to help aid customers, but the poor security around that - the site was a domain separate from the Equifax domain - invited fraudulent imitators and even more damage to victims.  At one point, the official Equifax communications even directed people to that fraudulent site."

He says, finishing point two:  "This is not the first time Equifax failed to take computer security seriously.  It confessed to another data leak in January 2017.  In May 2016, one of its websites was hacked, resulting in 430,000 people having their personal information stolen.  Also in 2016, a security researcher found and reported a basic security vulnerability in its main website.  And in 2014, the company reported yet another security breach of consumer information. There are more.

"Three," he says, "there are thousands of data brokers with similarly intimate information, similarly at risk.  Equifax," he says, "is more than a credit reporting agency.  It's a data broker.  It collects information about all of us, analyzes it all, and then sells those insights.  It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us, almost all of them companies you've never heard of and have no business relationship with.

"The breadth and depth of the information the data brokers have is astonishing.  Data brokers collect and store billions of data elements covering nearly every U.S. consumer.  Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements, and another adds more than 3 billion new data points to its database each month.  These brokers collect demographic information:  names, addresses, telephone numbers, email addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property.  They collect lists of things we've purchased, when we purchased them, and how we paid for them.  They keep track of deaths, divorces, and diseases in our families.  They collect everything about what we do on the Internet."

He says:  "Number four, these data brokers deliberately hide their actions and make it difficult for consumers to learn about or control their data."  He writes:  "If there were a dozen people who stood behind us and took notes of everything we purchased, everything we read, searched for, or said, we would be alarmed at the privacy invasion.  But because these companies operate in secret, inside our browsers and financial transactions, we don't see them, and we don't know they're there.

"Regarding Equifax, few consumers have any idea what the company knows about them, who they sell personal data to, or why.  If anyone knows about them at all, it's about their business as a credit bureau, not their business as a data broker.  Their website lists 57 different offerings for business - products for industries like automotive, education, healthcare, insurance, and restaurants.  In general, options to 'opt-out' don't work with data brokers.  It's a confusing process and doesn't result in your data being deleted.  Data brokers will still collect data about consumers who opt out.  We will still be in those companies' databases and will still be vulnerable.  It just won't be included individually when they sell data to their customers.

"Five," he says.  "The existing regulatory structure is inadequate.  Right now there is no way for consumers to protect themselves.  Their data has been harvested and analyzed by these companies without their knowledge or consent.  They cannot improve the security of their personal data and have no control over how vulnerable it is.  They only learn about data breaches when the companies announce them, which can be months after the breaches occur, and at that point the onus is on them to obtain credit monitoring services or credit freezes.  And even those only protect consumers from some of the harm, and only those suffered after Equifax admitted to the breach.

"Right now, the press is reporting dozens of lawsuits against Equifax from shareholders, consumers, and banks.  Massachusetts has sued Equifax for violating state consumer protection and privacy laws.  Other states may follow suit.  If any of these plaintiffs win in the court, it will be a rare victory for victims of privacy breaches against the companies that have our personal information.  Current law is too narrowly focused on people who have suffered financial losses directly traceable to a specific breach.  Proving this is difficult.  If you are the victim of identity theft in the next month, is it because of Equifax, or does the blame belong to another of the thousands of companies who have our personal data?  As long as one can't prove it one way or the other, data brokers remain blameless and liability free.

"Additionally, much of this market in our consumer data falls outside the protections of the Fair Credit Reporting Act.  And in order for the FTC (Federal Trade Commission) to levy a fine against Equifax, it needs to have a consent order and then a subsequent violation.  Any fines will be limited to credit information, which is a small portion of the enormous amount of information these companies know about us.  In reality, this is not an effective enforcement regime.  Although the FTC is investigating Equifax, it's unclear if it has a viable case."

And so anyway, I won't go on.  "Number six," he says, "the market cannot fix this because we are not the customers of the data brokers."  As we know, we are the products which the data brokers sell.  So this has perverse incentives.  The data brokers are selling to companies that want the information.  So this doesn't, in this system, traditional market forces don't work to apply pressure.  The customers want the information, want it to be easy to get, don't want us to be able to block it from their access.  So as a consequence, it has been made hard for us to do this.  And in fact he makes the point that financial markets reward bad security.

He writes:  "Given the choice between increasing their cybersecurity budget by 5% or saving that money and taking the chance, a rational CEO chooses to save the money.  Wall Street rewards those whose balance sheets look good, not those who are secure.  And if senior management gets unlucky and a public breach happens, they end up okay.  Equifax's CEO did not get his $5.2 million severance pay, but he did keep his $18.4 million pension.  Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease."

And he finishes:  "Even the negative PR that Equifax is currently suffering will fade.  Unless we expect data brokers to put public interest ahead of profits, the security of this industry will never improve without government regulation."  Anyway, so "Number seven, we need effective regulation of data brokers.  Number eight, resist the complaints from the industry that this is too hard."  He notes that credit bureaus and data brokers and their lobbyists and their trade association representatives will claim that these measures are too hard.

He says:  "They are not telling you the truth."  He says:  "Take one example, credit freezes.  This is an effective security measure that protects consumers.  But the process of getting one and of temporarily unfreezing credit is made deliberately onerous by the credit bureaus.  Why isn't there a smartphone app that alerts me when someone wants to access my credit rating and lets me freeze and unfreeze my credit at the touch of the screen?  Too hard?  Hardly.  Today you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are."

He says:  "Moreover, any credit bureau or data broker operating in Europe is already obligated to follow the much more rigorous EU privacy laws.  The EU General Data Protection Regulation will come into force, requiring even more security and privacy controls for companies collecting and storing the personal data of EU citizens.  Those companies have already demonstrated that they can comply with those more stringent regulations."

Anyway, so really, really good testimony from Bruce.  He finishes with number 11, saying:  "We need to do something about it.  Yes, this breach is a huge black eye and a temporary stock dip for Equifax - this month.  Soon, another company will have suffered a massive data breach, and few will remember Equifax's problem.  Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?"  He says:  "Unless Congress acts to protect consumer information in the digital age, these breaches will continue."

Finally:  "Thank you for the opportunity to testify today.  I will be pleased to answer your questions."  And Bruce then did that.  So bravo for having someone who understands the problem, who understands security, and who understands that we could easily, if they chose to, give us the technology, at least in these cases, to manage the availability of our credit far more usefully than we have today.