Equifax: The Hazards of Dragnet Surveillance Capitalism – Part 2: Just Another Data Breach? Or C-Suite Criminal Negligence?
Abstract
The reckless handling of data collected in capitalistic dragnet surveillance has developed into a national security and privacy epidemic. The Equifax breach, in which attackers exfiltrated the credit records of 143 million Americans, is an inexcusable travesty that resulted from systemic negligence and the irresponsible actions of senior executives. The company and its C-suite executives should not be permitted to simply cash in their insurance or pensions and then move on, while 44 percent of the nation has to change microscopic aspects of their daily lives to remain vigilant against lurking adversaries, despite never authorizing Equifax to collect, retain, or exchange their data. Rather than passing the brunt of the impact onto consumers, Equifax and its executives must be held accountable for their failure to secure consumer data according to its value, so that other data brokers and the American public understand that organizational actions that jeopardize the security and privacy of the public and the nation will not be allowed to continue without consequence.
Introduction
Few things are certain in the emerging cyber-kinetic-meta-war; however, one absolute is that capitalistic dragnet surveillance, formerly a privacy issue, has metastasized into a national security epidemic. The breach of Equifax, one of the largest data brokers, resulted in the loss of credit record portfolios of 143 million Americans, nearly 44 percent of the population. Equifax botched even fundamental incident response procedures repeatedly. Instead of focusing on mitigating the potential harm to consumers and businesses, Equifax executives spent nearly six weeks conspiring machinations to lobby for the removal of consumer protections, to profit from victims through “free” credit monitoring and identity theft services, and to trick average Americans into relinquishing their rights to pursue legal action against Equifax. Equifax and its executives should be held accountable for their failure to safeguard consumer data according to its value.
Given the nearly infinite capabilities of artificial intelligence and machine learning, malicious threat actors will be able to leverage the stolen Equifax credit records and metadata exfiltrated from other sources in potent multivector cyber-kinetic-meta-warfare attacks against critical infrastructure personnel and average consumers for years or decades. The realistic best-case scenario is an onslaught of identity theft, credit profile manipulation, rampant tax fraud and health sector fraud. More likely though, sophisticated adversaries will utilize the information to psychographically target vulnerable critical infrastructure executives and congressional employees with elevated privileges psychographically in precision-tailored social engineering campaigns that deliver malware or ransomware onto sensitive systems or that result in the exfiltration of intellectual property or classified intelligence.
In regard to the Equifax breach, ICIT has received more briefing requests from Congress, federal agencies, and domestic and international law enforcement than it has on multiple other recent major topics combined, including election hacking, Russian attempts to undermine democratic institutions, the OPM breach and the Anthem breach. Approximately 44 percent of the United States population had their credit records compromised, and victims are experiencing panic and fear as they begin to comprehend how potent tailored psychographic attacks can be when adversaries leverage the stolen Equifax files. Data brokers must understand that willful ignorance of cybersecurity and cyber-hygiene cannot be allowed to continue. Consumers’ data are more than just commodities. Each loss impacts lives directly. Through its calamitous failures, Equifax has distinguished itself as the prime example.
Equifax should live on only in infamy, just as Enron remains an example of dishonest business practices. Equifax should epitomize the consequences of negligent data brokerage. Equifax systems can no longer be trusted. The integrity of the data in its possession has been compromised. The information cannot be regarded as authentic because adversaries could have altered, removed, or added details without Equifax’s knowledge. Its “Frankensteined” architectonic labyrinth of an IoT microcosm is prototypical of the vulnerable networks, managed by unqualified information security personnel, that support every major data broker.
The Equifax Breach Was an Inexcusable Travesty
The Equifax breach is more substantial than previous disastrous incidents at Target, Home Depot, Yahoo, and other companies, because the consumer data housed within Equifax systems are more substantial than just credit card information. Consumers can cancel a compromised credit card [1]. Equifax is a data broker. Its product is aggregated consumer information collected from third parties and dragnet surveillance initiatives. The exposed data included consumers’ Social Security numbers, birth dates, full names, driver’s license information, purchasing habits, frequented businesses, and other extremely personal information [1] [2]. Equifax and third parties leveraged the aggregate data in complex psychographic and demographic big data algorithms to predict microscopic and macroscopic aspects of individual consumers and entire groups to assess the credit value of individual consumers and inform decisions about whether they were responsible enough to receive credit, borrow money, or take out mortgages. [2]. Now, the attacker(s) can also make predictions and assessments of consumers’ lives, in addition to compromising financial accounts and stealing identities. By necessity of its function, the data sets had to be robust enough to approximate an individual’s life. Now the lives of 143 million Americans are in the hands of an unknown malicious threat actor. At any time in the next few days to the next few decades, that adversary could sell or disclose the data publicly and inflict severe short-term and long-term harm on approximately 44 percent of the United States population [2].
Background
On July 29, 2017, Equifax discovered that for at least two months, a remote adversary had exploited an unpatched Apache Struts vulnerability (CVE-2017-5638) and exfiltrated the sensitive extensive credit record information of 143 million Americans. The credit card information of 209,000 consumers was also exposed. Definitive details of the attack are still emerging, but some postulate that the attackers may have discovered vulnerable Equifax servers via Shodan or that they may have piggybacked off of affiliated banking networks and compromised Equifax’s system laterally [2] [3]. A patch for CVE-2017-5638 was made available publicly on March 7, 2017, at least two months before the breach; however, negligent system administrators within Equifax failed to apply the patch to the vulnerable systems.
The breach was not disclosed to the public until September 7, 2017. Equifax claims that it spent the intervening time working with a cybersecurity consultant and authorities; however, in that time, Equifax amended its terms and conditions to reduce legal liability, lobbied against victim breach protections, and planned initiatives that exploited victims of the breach further or forced them to sign away their ability to litigate. Overwhelming public outcry has since compelled Equifax to retract its claim over victim arbitration rights and offer free credit monitoring and credit freezes for a year. It should be noted that the risk to victims will likely last decades. The offered TrustedID credit monitoring service auto-renews for a fee after the first year. Equifax will thereby profit from its victims in the future.
Equifax relied on a haphazardly designed website for its breach response. The site proved unable to report accurately whether consumers were victims of the breach [4]. Some users reported that the site accepts fake information or gives differing results for the same input. Its name, equifaxsecurity2017.com, resembled the naming schema of phishing sites. The site was initially blocked by some malware prevention services, such as OpenDNS [2]. Further, Equifax’s Twitter account directed users accidentally to a malicious watering-hole [4].
There Is a Difference Between Consumer and Commodity
Consumers choose whether to frequent Target or Home Depot. If a store is impacted by an incident or revealed to practice poor cybersecurity and cyber-hygiene, consumers can frequent a competitor instead. Most citizens have never used Equifax’s products. They receive no economic incentive in exchange for their data, and they have little or no control over how Equifax uses that data. Simply put, American citizens are not Equifax customers; they are its product. Through the capitalization of dragnet surveillance and the employment of psychographic and demographic Big Data algorithms, organizations like Equifax have monetized nearly every aspect of individuals’ identities. It is estimated that together, Equifax, Experian, and TransUnion collect more than 4.5 billion new pieces of consumer data each month. As consumers age, so too grows the lists of addresses, PII, utility accounts, telephone subscriptions, criminal records, medical debts, housing histories, and other information. To an extent, for-profit credit bureaus like Equifax have more control over whether a consumer “qualifies” for credit, a mortgage, or a loan, than the applicant does. Citizens and financial institutions alike cannot opt out of the credit report system that private credit bureaus have superimposed over critical infrastructure sectors [4].
The OPM breach was a cyber-Pearl-Harbor that shook the nation and invited public outrage, numerous investigations, Congressional inquiries, and widespread reformation of critical infrastructure cybersecurity. The breach galvanized public and private organizations momentarily to improve their security posture and protect treasure troves of sensitive data according to their value. OPM was compromised because it lacked the resources and knowledgeable employees to protect its systems [5]. Equifax is not comparable to OPM in anything but its catastrophic short-term and long-term impacts on national security and its organization’s refusal to invest in qualified information security personnel for vital decision-making roles. Equifax is not OPM. OPM had limited resources to secure obsolete legacy systems and hire information security personnel [5]. Equifax has an annual revenue exceeding $3 billion [2]. It could have afforded to hire multiple information security teams to assess risk perpetually and implement policies, procedures, and controls to mitigate threats and remediate compromises before consumers were harmed. Equifax knowingly and continuously failed to protect data according to its value or potential to impact victims if disclosed.
The Equifax breach is an inexcusable travesty. Like many other data brokers, the company eschewed cybersecurity and cyber-hygiene best practices in favor of short-term savings and profits, because they assumed either that their investment in modest cyber insurance policies would cover the costs of any incidents or that they were too essential to America to be allowed to suffer severe consequences that resulted from their deliberate negligence. By their estimation, any breaches of data would impact consumers and have only a transitory impact on their bottom line. At the moment, their estimation is moderately accurate. Data brokers do not seem to be held to the same level of accountability as other businesses. Consider that if a single hospital jeopardized the well-being of 143 million patients for the next decade, it would not remain operational and its executives would likely be subject to criminal charges. If a restaurant chain discovered that its product posed a risk to nearly half of American consumers and then it decided knowingly to withhold that information for six weeks so that it could profit and position itself to exploit the victims further, it would not remain operational and its operators would face criminal charges. The C-level executives of Equifax should at least face investigations and Congressional inquiry, if not criminal charges, for their absolute disregard for fundamental cybersecurity and cyber-hygiene best practices.
Authored by James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
See the full PDF below.
