Personal financial data for as many as 143 million Americans, inadequately guarded by credit bureau Equifax and stolen by hackers, can never be sheltered again under an umbrella of privacy. Those victims could face dire consequences, such as raids on their bank accounts and identity theft, for the rest of their lives. The losses for Equifax shareholders have already reached into the billions. The company’s stock value plunged after it disclosed the huge breach on Sept. 7. By then, some Equifax executives had already sold their shares in the company. Equifax says it had discovered the cyber intrusion on July 29.
The Equifax hack—possibly resulting from a software vulnerability for which a patch was available two months before mid-May, when the company now says the cyberattack began—is also a watershed event that is eroding confidence in the overall credit reporting industry.
It has raised calls for increased regulation, not only on cybersecurity standards, but also on the core business model of credit bureaus. The security failure of Equifax, founded in 1899, may stimulate 21st century technologists to design new safeguards that would bolster Equifax and its two major competitors, TransUnion and Experian. But some tech innovators may also see opportunities to disrupt the dominance of the “big three” in an industry that dates back to the late 19th century.
“We’re operating with a legacy paradigm that just doesn’t scale to the digital economy,” says Robert Ackerman, founder and managing director of venture capital firm Allegis Capital, which concentrates on cybersecurity investments. “Equifax is going to start a lot of people thinking about solutions,” he says.
What would a new rival to Equifax look like? One response to that question came from Simon Peel, chief strategy officer at Alameda, CA-based Jitterbit, which helps banks and other customers adopt advanced technologies more quickly through the use of application programming interfaces (APIs).
“A competitor to Equifax would integrate the current best-of-breed technologies, in fraud detection, security and analytics, while also ensuring that they are remaining agile as new and improved technologies are being developed—such as predictive analytics, deep learning and AI,” Peel says in an e-mail exchange with Xconomy.
Peel says financial institutions are already using technology to move well beyond the metrics often relied on by credit reporting agencies to help lenders assess risks—that is, borrowers’ payment histories for loans and credit card debt. He points to the 2016 annual report by JPMorgan Chase, in which the bank described its use of a machine learning tool called COiN, which analyzed “12,000 annual commercial credit agreements in seconds compared with as many as 360,000 hours per year under manual review.”
Cybersecurity innovations are top of mind for Ackerman in the wake of the Equifax breach—not surprising, given his firm’s focus. But Ackerman also identified other pain points that entrepreneurs, as well as governments, could evaluate as they look to improve the credit reporting industry.
Hackers may have been able to abscond with their massive data trove more easily if Equifax was keeping the personal information of millions of people in a central repository, Ackerman says. “It is folly to collect everything and put it together,” he says. The idea of maintaining a complete set of valuable data in one hardened silo may seem more secure, but distributed data storage would limit the haul for each hack, he says. As it is, criminals may now be in possession of the Social Security numbers, dates of birth, credit card numbers, and drivers license numbers of millions of Americans.
Regardless of the storage strategy, a business model that calls for assembling all that consumer data under the control of one company is asking for trouble, two University of Houston computer science professors write in a commentary this week for The Hill.
“What Equifax and others have done in concentrating massive quantities of personal data simply is not desirable in our time of cyber insecurity,” according to the commentary’s authors, professors Wm. Arthur Conklin, director of the university’s Center for Information Security Research and Education, and Christopher Bronk, the associate director of the center. “Private firms and government agencies that maintain such data stores need to be regulated concerning protection and isolation of the data.”
All of that sensitive data held by credit reporting agencies should be encrypted, wherever it’s stored, Ackerman says. Hackers may inevitably get into any data cache, but companies can make it less usable for them by encrypting it. IBM and other companies are working on methods to encrypt data even when it’s in use, he says. That could be a key improvement for the credit reporting industry, he says.
“If I were building a company in that space, that’s where I’d be going,” Ackerman says.
Open source software
Equifax says hackers were able to overcome the company’s defenses by taking advantage of a vulnerability called Apache Struts CVE-2017-5638. Even if that vulnerability in open source software was the gateway for the breach, it’s no excuse for Equifax, Ackerman says. Users of open source software must constantly probe and validate it, using a variety of methods such as code scanners, white hat hackers, and diligent adoption of security patches when they’re released. According to a story by Ars Technica, a patch was available to fix the software flaw in March, two months before the time period in May when Equifax says the breach began.
Monitoring of company systems for security breaches
Ackerman says the hackers may have been operating inside Equifax’s defense perimeters for a longer period than the company has acknowledged. Companies holding that much sensitive data should be vigilantly monitoring the data leaving the network to detect the exfiltration of information by cybercriminals, he says.
Social Security numbers
A fundamental weakness in the U.S. financial services system is the widespread use of Social Security numbers as a means to identify customers, Ackerman says. Those numbers were originally intended to be used only for communications about government benefits, not as an identifier demanded by private vendors, such as utilities and credit card companies, he says.
“The fact that we’ve allowed people to use it as a national identity is a tragedy,” Ackerman says. Unlike account numbers, Social Security numbers can’t be easily changed once they’ve been stolen.
Now that criminals may hold the Social Security numbers of more than 44 percent of the U.S. population, lenders will be much less certain that a person who can provide a valid number is the real owner of that identity. Millions of spoofed identities could be created based on filched Social Security numbers, Ackerman says.
“What we clearly need is a much more rigorous regime of identity authentication,” Ackerman says. Technology could help with that, by creating methods of authentication that can scale to an almost unlimited number of factors without slowing transactions, he says. Novel authentication factors made possible by technology include the location where a user logs into an account; the angle at which a cell phone is held; the user’s thumb pressure; and a customer’s walking gait, Ackerman says.
Jitterbit’s Peel says smartphones themselves provide the means for verifying the identities of their users.
“Two-factor authentication simply sends an SMS message containing a password to the mobile phone that is on record for that person at the credit agencies,” Peel says. “With the iPhone 6, 7 or 8 it would be simply a matter of putting your thumb on the fingerprint reader. With the newly announced iPhone X it could be as simple as holding up the phone to your face and using your face as the password to prove your identity.”
Such technology solutions can produce good outcomes, but they can also lead to some of the downsides consumers now resent about traditional credit agencies, says professor R.A. Farrokhnia, a member of Columbia University’s business and engineering faculty, and executive director of Advanced Projects and Applied Research in Fintech at Columbia.
Just as the credit agencies sweep up our financial information without our permission, new technologies can monitor personal behaviors such as our Internet search histories, which have also been proposed as possible indicators of creditworthiness—or a lack of it, Farrokhnia says.
Ackerman sees regulatory actions by governments as one of the important ingredients in re-engineering the credit reporting industry for the 21st century. That also goes for other sectors responsible for safeguarding the valuable data of individuals, in his book. He admires the EU General Data Protection Regulation (GDPR) data privacy scheme that will be enforced starting in May 2018. It will impose substantial penalties on companies that fail to safeguard the data of EU residents, no matter where the company is located.
Multiple functions of credit bureaus
Ackerman and others see problems worth solving due to the array of different roles filled by credit bureaus. The primary function of the agencies is to help banks and other lenders to determine whether a borrower is creditworthy; these entities report back to the credit bureau on each consumer’s track record of repayment.
The credit agencies also offer services to consumers, by helping them correct inaccuracies in their credit reports. But Ackerman sees these efforts as half-hearted.
“Their interest in our privacy and security and accuracy of information is lip service,” Ackerman says. “They care only if [an inaccuracy] reduces the value of information they’re selling. They collect your information without your permission, and they only work with you in response to regulatory pressure.”
As an investor, Ackerman says he’s been talking to colleagues for some years now about possible business models for an independent company that would protect consumer privacy and identity.
“I think there’s an opportunity,” he says. “More than an opportunity; there’s a need.”
University of Houston professors Conklin and Bronk think regulators should peel away another of the multiple functions of the credit bureaus: they sell the sensitive financial information of consumers to marketers.
“Lawmakers should consider investigating and possibly banning data brokering by the credit bureaus,” the professors suggest. “It is one thing for credit bureaus to inform lending establishments of consumer creditworthiness, but another for them to serve as behind the scenes marketing intelligence firms. So long as these companies cannot protect their data resources, they will harm U.S. consumers, financial institutions, and government through the countless cases of identity theft that incidents like the Equifax breach enable.”
Currently, U.S. government regulations applying to credit agencies are scanty, as detailed by the New York Times.
Farrokhnia, the fintech expert at Columbia, says the chance of a U.S. regulatory overhaul of the credit reporting industry may be slim, given the many distractions on the political scene and the current administration’s inclination to reduce regulation rather than expand it. Even so, the Federal Trade Commission has announced that it is investigating the Equifax hack, Reuters reported. Pressure is coming from other government sources, including investigations and lawsuits by state attorneys general. Class action law firms are lining up to sue Equifax on behalf of consumers.
Equifax’s management of the crisis is adding to public outrage. It delayed announcing the cyberattack after discovering it, and during that delay, company executives sold some of their share holdings. Equifax offered consumers free credit monitoring for a year, but at first made it a condition that they give up their right to sue the company for damages due to the data breach. Equifax later removed that condition under pressure.
The fallout from the huge breach could end up imposing substantial costs not only on Equifax, but also on most businesses, according to a report by the financial institution UBS.
“Major high profile attacks involving consumer data, like this Equifax incident, tend to lead to reevaluation of industry wide security practices and the architecture of digital security,” according to the UBS report. The result could be higher spending not only on cybersecurity measures, but also on insurance to cover the potentially devastating financial impact of a cyberattack, UBS stated. Citing a Gartner report, UBS says global cybersecurity spending could grow to $170 billion by 2020.
“I can tell you, the cybersecurity budgets for Experian and TransUnion are now unlimited,” Ackerman says.
Xconomy’s Texas editor Angela Shah contributed to this story.