Perhaps the most shocking thing about the Equifax data-breach was the sheer scale in terms of sensitive customer data stolen from an organisation. At 143 million data records of Americans including their social security numbers, birth dates, addresses it provided most of the information that’s used by Banks, insurance companies and other businesses to confirm the customer’s identity. The personal data of the majority of the American adult population is now in the hands of criminals, hostile nation states and will remain so indefinitely.
Or perhaps most shocking was the fact that as the sole purpose of existence of Equifax was to collect and securely maintain people’s personal data.
Or perhaps it was that the company took many months to report the breach. A breach that started in May and discovered by the company in July was finally reported in September.
Or perhaps the most shocking was the manner of response post the Equifax data-breach- the company setup an insecure broken and scammy looking website to notify its customers of the breach, it tried using its data breach as a lead generation mechanism for selling its identity protection service, it inserted an arbitration clause in the terms of service to prevent enrollees from suing the company.
Or perhaps we are too inured to get shocked with anything anymore. We’re so used to such incidents of sheer negligence by companies and their charade thereafter, that we’ve become completely helpless and resigned.
Yahoo, LinkedIn, Target, Sony, Verizon, Talktalk, Zomato, DNC, Jio, Ashley Madison, HBO and now Equifax. Each time the company or group issues an apology, promises to protect your data in the future and move on. The pattern keeps getting repeated over and over again. No prosecutions for the errant companies and no compensation for the consumers whose data gets compromised.
US must follow EU’s lead and implement cybersecurity regulations
The only way to break this cycle is through regulation. Europe has been the most progressive in terms of protecting its citizens and their data and the upcoming regulations like PSD2 and GDPR ensure companies must take security of their customer data seriously. US has no such regulations in place despite multiple mega-breaches over years compromising customer data- not even after their presidential elections were compromised as a result of broken security. Meanwhile, India is still debating whether privacy is a fundamental right and while it has implemented various digitisation and demonetization measures and the ambitious citizen identity project called Aadhaar, it does not even have any data protection laws in place. Hopefully India and US can learn from Europe on this one and put in place stringent data protection laws ensuring that various businesses do not take customers for a ride.