Equifax Breach: Making Sense of ‘Identity’ Theft
Equifax made news recently for being the victim of a hack; their systems were compromised and data was accessed by person(s) that weren‚Äôt authorized to have it. Unfortunately, this is not an uncommon occurrence these days. Hacks happen all the time, to companies both large and small. Individual hacks aren‚Äôt really noteworthy any more. But what is particularly noteworthy about this incident is the data that was accessed: the personal (and supposed-to-be private) information of roughly half of the US population.What information? Well, in addition to your ‚Äúcredit score‚ÄĚ they have your social security number, current home address, home addresses going back several years, payment history on all your credit cards, your water bill, your cable TV bill, and who-knows-what else. This information is used by companies to determine whether or not you are a good credit risk. Whenever you apply for a loan, or a credit card, or rent an apartment (or do a host of other things), there‚Äôs a fair chance that your credit report is requested from Equifax or one of the other reporting agencies. This is how things have always been done. And, as a system for assessing credit risk, it works just fine.
The problem is, there‚Äôs an implicit assumption that your credit record (the information that Equifax et al collects about you) actually identifies you.
And that‚Äôs ridiculous.
Occasionally someone has their identity ‚Äústolen.‚ÄĚ I never liked that phrase. Movies notwithstanding, they can‚Äôt peel your face off, suck your brains out through a straw, or transport their conscience into your body. All they can do is pretend to be you by accumulating enough information about you that someone who doesn‚Äôt know you will think they‚Äôre you. Usually the ‚Äúsomeone who doesn‚Äôt know you‚ÄĚ is a bank or a store, the someone pretending to be you wants something from them (money or merchandise), and the information is your SSN (traditionally a ‚Äúsecret number,‚ÄĚ much like a password) and your address and phone number. The pretender hands the vendor your info, the vendor hands the pretender the goods, and then the pretender disappears with the goods, leaving the bill on the counter (to be picked up by you and/or the vendor).
Your identity isn‚Äôt something that someone can take from you. You are not data. And the data that gets collected about you does not constitute an identity. Are you your phone number? No? Then why would you be your SSN? Or any other data point? It‚Äôs pretty ridiculous, and that data should never have been used in that fashion, but it was, and it‚Äôs now loose on the internet.
But that‚Äôs okay, because Equifax is offering a year of free credit monitoring. Sure, that will fix the problem. As if data on the internet disappears after a year. Or two. Or ten.
There‚Äôs an old adage in economics: If I owe you a hundred dollars, I have a problem; if I owe you a hundred million dollars, YOU have a problem. That sentiment succinctly sums up my thoughts on this hack, to wit: If you have your identity stolen, you have a problem; if half the population of the US has their identity stolen, then EVERY VENDOR THAT DEALS IN CREDIT has a problem.
Just imagine: Half the US population. A 50% chance that anyone that applies for credit isn‚Äôt who they say they are. Take a moment and let that sink in.
Is that a data problem? Or an identity problem? And‚Ä¶ do you like those odds?
Consider this: If all that data had been encrypted, would this particular hack have caused such a huge problem for so many people? Even better, if all that data wasn‚Äôt being misused to establish identity, would it even matter if it was encrypted?