Like most security professionals, I have been glued to various security news sites waiting for more details to be revealed from the Equifax breach. Last month, it was announced that Equifax’s CEO has stepped down.[1] In the wake of Equifax’s loss of 145 million records, 3 C-level leaders have been removed. In consideration of the fallout from Equifax, I started thinking about how this would impact the clients I work with?
There are a considerable number of articles on the importance of security, along with speculation on how Equifax failed to implement appropriate processes and controls. What seems to be missing is the nature of the data stolen. While Equifax has lost an estimated 145 million records, those records (and more) have already been distributed to thousands of other entities with far fewer resources than Equifax to protect the data.
The Evolution of Credit Reporting and Distribution of Data
The trend of expanding distribution of credit history data is more concerning. Currently, credit checks are used for employment background checks, collections firms, underwriting auto insurance, merchant accounts, big data analytics firms, and landlords. All these entities initiate requests for data using Personally Identifiable Information(PII) and then receive additional details regarding an individual’s credit history. Therefore, the data stolen from Equifax has likely already been distributed across a multitude of industries.
A credit bureau such as Equifax is an interesting business in that they collect and store information on consumers who are not their direct customers. In the past, the credit bureaus, Equifax, Experian, and TransUnion simply collected data provided by issuers and loan origination entities. Detailed payment information could then be consolidated and resold to entities that needed the data to judge the creditworthiness of potential loan applicants.
In the early 2000s, all three credit bureaus began offering an authentication service using details from your credit history. The use of these details is treated as a “Shared Secret” and is often used by financial institutions and call centers to authenticate individuals. Therefore, a malicious individual armed with this data could impersonate an individual, open lines of credit, purchase goods, etc. As a result of the breach and general distribution of this data these services to authenticate an individual are greatly diminished.
Data Security Standards for Credit Reports
With a greater distribution of data, the need for data security standards outside the credit bureaus becomes increasingly more important. Unfortunately, Data security standards related to the protection of an individual’s credit history are essentially non-existent. GLBA is considered the “Privacy” standard but is limited to requiring institutions to tell consumers how data is handled and to, “Safeguard” consumer data.[2] How an institution chooses to, “Safeguard” the data is left up to the institution and is intended to be open-ended, flexible, and as a result, questionable.
As a complement to the PCI-DSS, Experian introduced the EI3PA standard which is a copy of the PCI-DSS standard with a focus on credit report data instead of Primary Account Numbers(PAN). These credit report, “details” include Social Security Numbers, Birth Dates, Previous Addresses, Open Loan Accounts, and Payment information.
The enforcement of EI3PA is limited to resellers of credit reporting and does not extend to end-users. [3] In my years as an assessor, I have noticed many companies focus on the PCI-DSS, but ignore or put off protecting the same data Equifax is accused of losing. This includes PII data as well as credit history details which are, “out-of-scope” for PCI. Many organizations will claim that certain details in the credit history are masked, and therefore not important, but this is not always the case. I recently pulled my credit history to meet background check obligations and noted that SSN, Birthdate, and Credit Tradelines were partially masked. My Driver’s License #, 20-year address history, open loans, and payment terms, were all present.
Forget about Equifax, Look Inward
With Equifax in the news, now is an excellent opportunity to push for increased understanding and data safeguards within your organization. To summarize, much of the data which Equifax has lost has also likely already been distributed to thousands of entities, including an organization you may work for. In addition to focusing on potential, “Struts” vulnerabilities, your organization should determine if credit reporting processes exist within the organization. These processes may include the obvious such as loan origination, but also likely include collection operations, periodic account monitoring, and employee background checks. Other processes may include batch requests, and stored images, paper reports, or perhaps, third-party processing. Assuming processes are understood, an organization should seek to answer the following:
- Where is this data stored?
- How long is the data stored for?
- Why is the organization storing credit report data? (if you don’t have it, it can’t be stolen)
Also, do not forget that personally identifiable information is needed to make a credit history request. Therefore, even though a credit history report may mask fields such as SSN and birthdate, your firm likely has the full detail, typically within the same database used to store the credit history response. Once the above questions are answered, the organization can begin to measure and report its risk exposure and implement appropriate mitigating controls. Finding data storage locations can be a challenge and should include manual methods as well as automated data discovery tools.
To estimate risk exposure, and determine resources necessary to mitigate risks firms can rely on the annual Ponemon Institute’s Cost per Record statistic, which for 2017 was reported at $141 per record.[4] While your firm may not have 145 million records to lose, it does not take long at $141 per record to arrive at a large number. For example, based on Ponemon’s study a loss of 10,000 records would result in a potential $1.4 million dollar liability.
About the Author
Richard Haag (MBA, CISSP, CISA, PCI-QSA, PA-QSA, P2PE-QSA) has spent the last 20 years identifying and reducing the risk for both large and small organizations. Richard started his career with a Fortune 50 Aerospace and Defense company before leaving to co-found CreditDiscovery, a credit reporting firm. As CTO of CreditDiscovery, Richard was tasked with infrastructure management and implementing security standards, such as Visa’s CISP (pre-cursor to PCI). Richard has recently joined Intersec Worldwide as Vice President of Compliance Services, after 11 years performing hundreds of PCI related assessments and consulting for domestic and international processors, and financial institutions. Based in Houston, Texas, Richard continues to work with Intersec clients on compliance and risk management initiatives.
About the Intersec Worldwide
Intersec Worldwide is a leader in information security consulting, penetration testing, risk management, forensics, security controls implementation, managed security services, and compliance assessments. Intersec specializes in providing seasoned consultants with diverse industry backgrounds and practical experience. Intersec Worldwide’s service area includes North America, Europe, South America, and Asia. Visit www.intersecworldwide.com to learn more about the services we offer.
[1] http://www.businessinsider.com/equifax-cyberattack-hackers-executives-retiring-2017-9
[2] https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
[3] https://www.experian.com/assets/corporate/technical-providers/ei3PA-faq-technical-providers.pdf
[4] https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/