The recent, massive Equifax data breach, which put 143 million US consumers' personal data at risk—including names, Social Security numbers, birth dates, addresses, and some drivers license and credit card numbers—drove home the dangers facing any organization that stores a valuable trove of data. But awareness alone hasn't stopped or even slowed the recent slate of mega-breaches, which have impacted even strongly defended networks, like those of the Central Intelligence Agency and National Security Agency. That doesn't mean it's time to give up. Even if you can't stop breaches altogether, plenty of steps could slow them down.
Before Equifax,a number of other memorable data breaches lost tens of millions of records—including at Target, Home Depot, the Office of Personnel Management, and Anthem Medicare. While each attack happened in different ways, extra precautions could have helped mitigate the impacts.
"Breaches happen over and over again because of really simple things, it’s maddening" says Alex Hamerstone, a penetration tester and compliance expert at the IT security company TrustedSec. "Nothing works 100 percent or even close to it, but a lot of things work to a degree and when you start to layer them on top of each other and start doing basic things you’re going to get stronger security."
Organizations can start by segmenting their networks, to limit the fallout if a hacker does break through. Siloing attackers in one part of the network means they can't gain access beyond it. Even the examples of the CIA and NSA leaks—both embarrassing and damaging incidents for those organizations—show that it's possible to limit access control such that even attackers who grab something can't get everything.
Legislation and regulation may also help create more clearly defined repercussions for consumer data loss that motivate organizations to prioritize data security. The Federal Trade Commission declined to comment to WIRED about the Equifax breach, but noted that it provides resources as part of its consumer protection outreach and enforcement efforts.
Lawsuits can also help deter to lax security practices. So far more than 30 suits have been filed against Equifax, including at least 25 in federal court. And companies do suffer losses in the aftermath of a breach, both in terms of money and reputation, that spur some adoption of stronger protections. But all these elements combined still only result in gradual progress in the US, as illustrated by the situation with Social Security numbers, which have been known to be insecure as a universal identification for decades, but are still widely used.
Beyond what individual organizations can achieve on their own, increasing data security overall will require technological overhauls of network systems and user identification/authentication. Countries like Estonia and the Netherlands have made such systems a priority, instituting multi-factor authentication for financial interactions, like opening a credit card account. They also make these mechanisms more readily available to vulnerable industries like healthcare. Organizations can also focus on implementing robust data encryption, so even if attackers access information they can't do anything with it. But for these technologies to proliferate, industries must commit to reworking infrastructure to accommodate them—as was eventually the case with chip-and-pin credit cards, which the US took decades to adopt. And then there's just good old fashioned commitment to making sure the systems in place actual work like they're supposed to.
"There is no security without audit," says Shiu-Kai Chin, a computer security researcher at Syracuse University who studies development of trustworthy systems. "People who run businesses don't want to think about the cost of information audits, but if they just imagined that every packet of information was a hundred dollar bill, all of a sudden they would start to think about who touches that money and should they be touching that money? They would want to set up the system properly—so you only give people enough access to do their jobs and no more."
As a data-processing company, Equifax certainly had some information security protections in place. Experts note, though, that the network architecture clearly had some significant flaws if an attacker could have potentially compromised records for 143 million people without accessing the company's core databases—something Equifax claims. Something about the segmentation and user controls in the system allowed too much access. "In information security it’s easy to Monday morning quarterback and say ‘you should have patched, you should have done this’ when it’s actually a lot harder to do," TrustedSec's Hamerstone says. "But Equifax has money, it wasn’t like they were on a shoestring budget. It was a decision not to invest here, and that’s what kind of blows me away."
A common industry phrase is "there's no such thing as perfect security." It means that data breaches do happen sometimes no matter what, and always will. The challenge in the US is to creating the right incentives and requirements that compel technological overhauls. With the right setup, a breach doesn't have to be catastrophic, but without it the effects really are dramatic. "If we can’t account for the integrity of operations," says Chin, "then really all is lost."
