Click here for the Daily Orange's inclusive journalism fellowship applications for this year


NATIONAL

Expert weighs in on cybersecurity breach that affected 143 million Americans

Daily Orange File Illustration

Data that included names, Social Security numbers, addresses, birth dates and driver’s license numbers was recently released in an Equifax data breach.

Equifax, a consumer credit reporting agency, recently had a massive data breach that released the personal information of up to 143 million Americans.

The data included names, Social Security numbers, addresses, birth dates and driver’s license numbers. Equifax gets its data from credit card companies, banks, retailers and lenders who report on the credit activity of individuals to credit agencies, per CNN.

Equifax handles the personal information of more than 820 million consumers, 91 million businesses and manages a database with employee information from more than 7,100 employers, according to The New York Times.

The Daily Orange spoke with Shiu-Kai Chin, a electrical engineering and computer science professor at Syracuse University, to discuss the Equifax security breach.

The Daily Orange: Why do you think Equifax was targeted?



Shiu-Kai Chin: Well, they’re a juicy target … basically it’s a treasure trove of personal information. Credit cards, social security numbers — it’s similar to a master database of everyone who has credit in the United States.

The D.O.: How do cybercriminals steal information?

S.C.: There are a variety of ways. It sounds crazy, but usually what they do is they ask for it. In this specific case, I don’t know what they did. I think as people have gotten more sophisticated, we are always using electronic representation of ourselves. That could be our user ID and password, fingerprints, retinal scans, voice scan … or it could be a physical key or a swipe card, like the SUID.

There are three identification factors: something you have, like your SUID card; something you are, like your fingerprint; and something you know, like your PIN. Depending on how insecure each factor is, it can be correspondingly easy or difficult to steal your identity.

The other more insidious part of it: You have to be authorized to get what you need. The phishing attacks, where you get someone to answer an email, what they’re trying to do is steal your credentials in order to get authorization. There’s also the insider attack, someone inside the organization stealing the information or granting access.

The D.O.: Can the victims retrieve their stolen information?

S.C.: Realistically, no. With the credit card companies, recall the Home Depot breach. For many years, the Europeans had credit cards with chips. That technology is well over 20 years old. It wasn’t until the Home Depot breach when the credit card companies switched to cards with chips. You never get the information back, so it’s now viewed as you have to get new credentials.

The D.O.: This was Equifax’s third major cybersecurity threat since 2015. Is it possible to adjust technology to prevent such attacks? Or are they powerless to advanced cyber criminals?

S.C.: Yes, absolutely. Sure, there’s a lot you can do. Part of my own research is the notion of building authentication and authorization — in other words, building security — from the very start.

Thirty years ago, we did not have strenuous authentication and authorization built into our designs. The notion that someone could remotely access a piece of equipment was inconceivable. But now, that’s an everyday fact.

Businesses will often say it’s too hard and too complicated (to prevent cyberattacks), but if you literally think of information this way: If the medical records of the entire country were altered so just our blood types were changed, everything would grind to a halt. Nobody would trust the information.

If you start treating information like money, it would need to be audited, then all of a sudden people are going to be asking very different questions about the movement of information. The other idea is the type of privilege to access and change information, you need to give people the minimum privilege to do their job. Safety, integrity and security don’t happen by themselves.

The D.O.: Equifax is currently offering free identity theft protection and waiving fees on credit freezes for those impacted. Do you think this will suffice? How would you handle this breach?

S.C.: Well, I am one of the people that might be affected. I have been a long-term customer of theirs. Safety, integrity and security are emergent properties. Basically, no single component can guarantee safety, integrity and security. It has to be a combined effort of many parts of the system.

Equifax did the absolute minimum … basically saying, “We will help you monitor your information,”  because frankly, they can’t account for information once it leaves their domain.

I would have built security systems from the start to match the level of protection and control that we expect from financial transactions. Information is the life and blood of a modern society, just like money is the lifeblood of capitalism. We have to treat both with care and seriousness.





Top Stories