An Offensive Defense: Lessons from the Equifax Breach

Static personally identifiable information (PII) is not the answer.

On Friday, Equifax, the credit reporting agency, announced a massive data breach which involves the potential compromise of the personal data of 143 million U.S. consumers and limited information of residents of Canada and Great Britain, including names, addresses, Social Security numbers, and birth dates.

“One of the solutions being recommended to protect yourself if you think your personal information may have been compromised is to request a credit freeze from all three major credit bureaus to ensure hackers can’t exploit your stolen information,” says Avivah Litan, vice president and distinguished analyst at Gartner. “However, my view is that will only protect you from less than five percent of the types of financial crimes that can happen to you.”

How could the stolen data be used?

  • It could be sold and resold in the underground.
  • It could be used to update existing stolen identity records, which are already plentiful and abundant, but a bit out of date in terms of phone numbers and addresses.
  • It could be used to take over existing accounts, including bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with Bitcoin wallet holders), and retirement accounts. “This compromised personally identifiable information (PII) data is used by call centers and online systems to verify identities when they are conducting high risk transactions such as moving money or changing an account’s phone number on record,” says Litan. “So now, armed with the stolen up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account.”
  • It could be purchased and used by adversarial nation states, including Russia, China, North Korea and Iran, who have their own nefarious plans to disrupt or steal from U.S. society. Goals can range from disrupting political processes or stealing valuable intellectual property used to manufacture weapon related systems such as missile defense to more innocuous missions like pilfering consumer goods’ blueprints for luxury handbags or perfumes.

What should organizations do when it comes to identity proofing and verification?

First it makes no sense to solely rely on static PII to identify an individual a business is engaged with when there is a greater than 50 percent chance that data is in criminal hands. Organizations should reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification. Systems based on dynamic non-PII data and behavioral indicators are more able to assess the legitimacy and risk of an identity claim than ones based on static, regulated PII data.

However, a layered identity proofing approach is always the most effective approach. Successive layers of identity assessment processes provide stronger protection and make it much harder for criminals and other unauthorized users to compromise an organization’s assets and systems. No singular identity assessment method used on its own is sufficient to keep determined fraudsters out, or sufficient to verify the legitimacy of an individual identity claim.

Fraud, security and business managers should use multiple layers of identity assessment processes, as each layer backstops the previous one so that if criminals circumvent one layer, the next one will further deter them. Conversely, each successive layer adds assurance that an identity claim is legitimate.

Bottom Line

Identity assessment is not a one-time event. It needs to be a continuous cycle that is triggered by an authentication or transaction. Organizations can pick and choose which of the layered measures to take based on risk tolerance, identity assurance requirements and cost. Situations are fluid and constant change among a user population must be expected. The most appropriate strategy for assessing identity claims should be similarly fluid and dynamic.

Get Smarter

Gartner Blog & Client Research
More information can be found in Litan’s Gartner blog “Our Country has Been Hijacked and Equifax is only the latest casualty.” Gartner clients can read more in the report “Absolute Identity Proofing Is Dead; Use Dynamic Identity Assessment Instead.”

Security Hub
Learn more about data breaches at the Gartner Digital Risk & Security hub for complimentary research and webinars.

Gartner Identity & Access Management Summit 2017
Privacy and access management issues will be further discussed at the Gartner Identity & Access Management Summit 2017 taking place November 28-30 in Las Vegas. Follow news and updates from the event on Twitter at #GartnerIAM.