An Offensive Defense: Lessons from the Equifax and Marriott Breach

April 09, 2019

Contributor: Christy Pettey

Static personally identifiable information (PII) is not the answer.

In 2017, credit reporting agency Equifax announced the compromise of the personal data of 145 million U.S. consumers and limited information of residents of Canada and Great Britain, including names, addresses, Social Security numbers and birth dates. Roughly a year and a half later, Starwood Hotels confirmed its hotel guest database of about 500 million customers was stolen in a data breach, exposing everything from guests’ names and postal addresses to passport numbers and Starwood’s rewards information.

“ Reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification”

“These breaches did not happen in isolation. There are hundreds of ongoing attacks against all kinds of companies, all of which highlight the fact that consumers have no control over their data privacy in today’s information-processing environments,” says Avivah Litan, Distinguished VP Analyst, Gartner. “One of the solutions being recommended if you think your personal information may have been compromised is to request a credit freeze from all three major credit bureaus to ensure that hackers can’t exploit your stolen information — but my view is that will only protect you from less than 5% of the types of hacks that can happen to you.”

Read more: Focus on the Biggest Security Threats, Not the Most Publicized

How can stolen data be used?

  • It could be sold and resold in the underground.
  • It could be used to update existing stolen identity records, which are already plentiful and abundant, but a bit out of date in terms of phone numbers and addresses.
  • It could be used to take over existing accounts, including bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with Bitcoin wallet holders) and retirement accounts. “This compromised personally identifiable information (PII) data is used by call centers and online systems to verify identities when they are conducting high-risk transactions such as moving money or changing an account’s phone number on record,” says Litan. “So now, armed with the stolen up-to-date PII data, criminals can more easily impersonate their target victims to get into their accounts.”
  • It could be purchased and used by adversarial nation states which have their own nefarious plans to disrupt or steal from U.S. society. Goals can range from disrupting political processes or stealing valuable intellectual property used to manufacture weapon-related systems (e.g., missile defense) to more innocuous missions like pilfering consumer goods’ blueprints for luxury handbags or perfumes.

Read more: Embrace a Passwordless Approach to Improve Security

What should organizations do when it comes to identity proofing and verification?

To begin, it makes no sense to solely rely on static PII to identify individuals a business is engaged with when there is a greater than 50% chance that data is in criminal hands, according to Gartner. Organizations should reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification. Systems based on dynamic non-PII data and behavioral indicators are more able to assess the legitimacy and risk of an identity claim than ones based on static, regulated PII data.

However, a layered identity-proofing approach is always the strongest approach, making it much harder for unauthorized users to compromise an organization's assets and systems. No singular identity assessment method used on its own is sufficient to keep determined fraudsters out or to verify the legitimacy of an individual identity claim.

“ Identity assessment is not a one-time event. It must be a continuous cycle that is triggered by an authentication”

Blockchain distributed ledger technology is increasingly used for decentralized identity purposes as well. Commonly referred to as “self-sovereign” identity, this technology enables consumers to control their own identity data and release it selectively to whomever they wish. “While the technology is not yet widespread, it is positive to see that we are moving toward this direction,” says Litan. Fraud, security and business managers’ best bet is using multiple layers of identity assessment processes. Each layer backstops the previous one so that if criminals circumvent one layer, the next one will further deter them. Conversely, each successive layer adds assurance that an identity claim is legitimate.

Bottom line

Identity assessment is not a one-time event. It must be a continuous cycle that is triggered by an authentication or transaction. Organizations can pick and choose which of the layered measures to take based on risk tolerance, identity assurance requirements and cost. Situations are fluid, and constant change among a user population must be expected. The most appropriate strategy for assessing identity claims should be similarly fluid and dynamic.

More information can be found in Litan’s Gartner blog “Our Country has Been Hijacked and Equifax is only the latest casualty” and "7 Lessons from Marriott Starwood breach and what Mueller teaches us.”  

This article has been updated from the original, published on September 11, 2017, to reflect new events, conditions or research.

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.