The Equifax Breach is not Special
The hue and cry over the Equifax hack has subsided to a dull roar. We’ve passed the stage of ‘initial reports,’ which are usually wrong, and are firmly in armchair cybersecurity pundit mode. ‘What did Equifax executives know and when did they know it?’ inquiring minds want to know, among other things of varying relevance. All of this is de rigeur for massive breaches, along with a few other things…
First, there is more to the breach than meets the eye. This means some things won’t be as bad as initially thought, some things will be horribly worse. Today’s villains will end up looking like martyrs and everyone who seems competent will be remembered as buffoons…or maybe not. It doesn’t matter. What matters is that everyone could have done everything right and they’re still just gears in a corporate machine working off of imperfect information, under impossible deadlines, without enough funding, and without the right human resources. You know: the same problems we all have.
The leadership team of Equifax is not better or worse than any other company. This means both behavior and capabilities and actions. Much has been made about the academic qualifications of the firm’s CISO, but it’s much ado about nothing. Experian isn’t her first job in security, and her previous positions were not for outfits that were slack about security. Let’s also remember that Equifax is not in the security business, so their primary concern was never going to be security.
Equifax will still be in business a year from now. Pick a major breach at a publicly traded company. Go back as far as you like. How many of those companies are still in business? How many of them have stock prices that are the same or better as they were just before the breach? I’ll save you some time: None that I can find have gone bankrupt and their stock prices are doing just fine, thankyouverymuch. If things hold true to form they’ll suffer no long-term impact. I’m so confident about this I’m actually buying Equifax stock.
This will not be the breach event that brings about change or reform.Remember the Target breach? Home Depot? TJ Maxx? OPM? Remember how those were the breaches that were supposed to change everything? Remember how breaches stopped, executives went to jail and paid stiff fines, and everything was right with the world? This breach is no different, and there is nothing to indicate the result will be different.
Finally, nobody cares. Not enough anyway, and not for long. Security people care because of myriad reasons. Individuals care because they’re afraid of being impersonated or defrauded. Lawmakers care because their constituents care and because being outraged on behalf of the little people makes for good passive campaigning. But let me tell you what is going to happen:
- Some other security drama is going to pop up in a couple of weeks and all the angry nerds will channel their anger in that direction because nothing helps improve security than snarky hot takes on social media.
- Individual citizens are going to realize that most if not everything lost in this breach has been lost a dozen times before. Even if this is the time they get ripped off, banks and retailers will make them whole.
- Lawmakers will move on to the next crisis du jour because constituents have stopped pestering them about Equifax, and the data broker/credit rating industry lobbyists will have spent a sufficient amount of money on donations, scotch, cigars, and steaks to convince the honorable gentleman from the back 40 that the industry can regulate and take care of itself.
The Equifax breach is not special. It’s just like every other breach that preceded it, and it is almost assuredly going to be another data point that supports the template for the one that follows it. Security is not the issue we think it is, and it will never be until the consequences are high enough.