Equifax, one of the 3 major credit bureaus in the U.S., recently revealed a cyber breach resulting in the exfiltration of more than 143 million personally identifiable records – these are the veritable “crown jewels” in cybersecurity parlance, including social security numbers, addresses, birthdates and credit card information (albeit for a subset of the total). This corresponds to nearly half of the U.S. population and virtually 100% of the labor force. While the sheer number makes this one of the largest and most damaging cyber-attacks of its kind, the real long-range damage to Equifax may be the ill-timed stock sale by 3 of its executives, including its CFO, just days after the breach was originally discovered and nearly 2 months before it was disclosed. This seemingly deliberate move by these executives to de-risk their exposure to Equifax’s almost certain market loss, reveals how cyber risk cannot be treated in isolation of reputational harm. Similarly, this massive breach is yet another reminder that there is no technological panacea to cybersecurity, but rather a holistic approach to cyber resilience is needed.
Compounding the company’s challenges, reports that Equifax’s remediation measures would in fact limit consumer rights while boosting enrollment in their own subsidiary that provides identity monitoring services, have only added to management and governance headaches. Not to mention very legitimate consumer concerns as 143 million people grapple with a lifetime of vulnerability. Many of these affected consumers are already organizing a massive class-action lawsuit, seeking damages of $70 billion. Equifax’s heartfelt apology from their chairman and CEO, offers people the opportunity to enroll in their subsidiary’s identity monitoring services at no cost for a period of one year. Herein a host of new consumer challenges emerge, especially with the latency of cyber threats, the vast secondary black market where personal data are sold, the lifelong nature of social security numbers and our performance-based credit system. Sadly, low levels of financial literacy and awareness among many consumers means that those who can least afford this unwanted disclosure will bear the brunt of its long-term consequences. Others can take matters into their own hands to monitor their identities, guard against financial fraud and credit theft by following some straightforward, if noisome, steps.