Q&A: Are consumer data breaches the new normal?

On Sept. 7, Equifax Inc. announced a breach of data impacting about 143 million U.S. customers. The information affected includes names, Social Security numbers, birth dates, addresses and some driver’s license numbers.

ASU Now spoke with Jamie Winterton, director of strategy in ASU’s Global Security Initiative, to learn more about why breaches are so common and what impacts consumers face as a result. 

Question: Data breaches have become so common. Should consumers consider these instances to be a new normal?

Answer: I wish I could say no, but, unfortunately, data breaches are a fairly common event. And the numbers are staggering. The Equifax breach affected 134 million people — that’s almost half the population of the U.S.

Perhaps more concerning is that consumers aren’t always notified immediately when their data has been compromised. Equifax mentioned in the press release that the files were accessed sometime between mid-May and July, through an unspecified web-based vulnerability. So, several months passed where an affected individual’s data could’ve been used for identity theft.

Q: What kinds of challenges exist for cybersecurity professionals who are trying to stay a step ahead of hackers?

Jamie Winterton

A: Hackers are incredibly creative — there’s a saying that “red team only has to be right once.” This means that, for all the security protections a company takes, a hacker just needs to find one vulnerability to exploit. Staying on top of all the potential methods of attack is one challenge.

Another challenge is that companies often don’t prioritize cybersecurity until it’s too late. We’re still too vulnerable to known methods of compromise. We don’t yet know the exact methods that the Equifax hackers used, but most often, hackers compromise a network by exploiting known security issues in the system. It’s very unusual that a hacker will have to use a brand-new method of breaking in (also known as a “zero day”). It can be difficult for information security professionals to keep security at the top of the list, when there are so many other pressing business needs for a company to address.  

Q: Equifax has created a website to help consumers determine whether their information has been comprised and is offering identity theft protection. Is there anything else consumers can actively do to prevent damage in these situations?

A: First, never use any personal data in your passwords. Too many people still use their date of birth, middle name or some combination of information that is easy to reconstruct from these breaches. Identity theft protection is a good idea, especially if you’ve been breached — it won’t stop someone from using your data, but it will alert you to suspicious activity, like loans being taken out in your name, or unusual credit card activity. Finally, be aware of things like your credit score and credit history. The longer it takes to find malicious activity, the longer it takes to recover.