The massive Equifax data breach of 143 million personally identifiable records – a staggering treasure trove of data on nearly the entire U.S. workforce – changes everything or at least it should. The canary in the coal mine with this breach is the fact that over the past five years Equifax’s annual reports reveal troubling tone deafness to growing cybersecurity alarm bells that have affected many commercial giants, including Target, Sony and Yahoo among others. During this same time frame, regulatory standards and business convention on adequate cyber hygiene have been promulgated by a host of directives in the U.S. and internationally. And yet, the post-mortem on this breach – the BP oil spill of personal data – will likely miss the bigger question, which is why are our identities so vulnerable in the first place?
The fact that the triopoly of Equifax, Transunion and Experian can collectively amass more than $9 billion in revenues, largely trading on people’s personal information without their consent, says a lot about the state of personal identity. Worse yet, the information that credit bureaus store and synthesize with our blind consent informs most major financial outcomes for consumers wherein they are largely powerless in being their own advocates. As the scale of the Equifax breach sinks in, the lifelong consequence of having an analog identity in a digital era is a stark reality for which governments and citizens around the world are ill prepared. The Equifax case is another example of systemically important firms hiding in plain sight.
Sadly, the taxonomy of cyber breach disclosures has evolved into a very predictable pattern proving that corporate leaders are slow to learn that bad news does not improve with time. The first stage for Equifax, following the questionable stock sale by key executives, was to reveal this event to the public nearly two months after the fact.