An Offensive Defense: Lessons from the Equifax Breach

Static personally identifiable information (PII) is not the answer.

On Friday, Equifax, the credit reporting agency, announced a massive data breach which involves the potential compromise of the personal data of 143 million U.S. consumers and limited information of residents of Canada and Great Britain, including names, addresses, Social Security numbers, and birth dates.

“One of the solutions being recommended to protect yourself if you think your personal information may have been compromised is to request a credit freeze from all three major credit bureaus to ensure hackers can’t exploit your stolen information,” says Avivah Litan, vice president and distinguished analyst at Gartner. “However, my view is that will only protect you from less than five percent of the types of financial crimes that can happen to you.”

Manage Risk. Build Trust. Embrace Change.
Gartner Security & Risk Summit 2018
Learn More

How could the stolen data be used?

  • It could be sold and resold in the underground.
  • It could be used to update existing stolen identity records, which are already plentiful and abundant, but a bit out of date in terms of phone numbers and addresses.
  • It could be used to take over existing accounts, including bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with Bitcoin wallet holders), and retirement accounts. “This compromised personally identifiable information (PII) data is used by call centers and online systems to verify identities when they are conducting high risk transactions such as moving money or changing an account’s phone number on record,” says Litan. “So now, armed with the stolen up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account.”
  • It could be purchased and used by adversarial nation states, including Russia, China, North Korea and Iran, who have their own nefarious plans to disrupt or steal from U.S. society. Goals can range from disrupting political processes or stealing valuable intellectual property used to manufacture weapon related systems such as missile defense to more innocuous missions like pilfering consumer goods’ blueprints for luxury handbags or perfumes.

What should organizations do when it comes to identity proofing and verification?

First it makes no sense to solely rely on static PII to identify an individual a business is engaged with when there is a greater than 50 percent chance that data is in criminal hands. Organizations should reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification. Systems based on dynamic non-PII data and behavioral indicators are more able to assess the legitimacy and risk of an identity claim than ones based on static, regulated PII data.

Manage Risk. Build Trust. Embrace Change.
Gartner Security & Risk Summit 2018
Learn More

However, a layered identity proofing approach is always the most effective approach. Successive layers of identity assessment processes provide stronger protection and make it much harder for criminals and other unauthorized users to compromise an organization’s assets and systems. No singular identity assessment method used on its own is sufficient to keep determined fraudsters out, or sufficient to verify the legitimacy of an individual identity claim.

Fraud, security and business managers should use multiple layers of identity assessment processes, as each layer backstops the previous one so that if criminals circumvent one layer, the next one will further deter them. Conversely, each successive layer adds assurance that an identity claim is legitimate.

Bottom Line

Identity assessment is not a one-time event. It needs to be a continuous cycle that is triggered by an authentication or transaction. Organizations can pick and choose which of the layered measures to take based on risk tolerance, identity assurance requirements and cost. Situations are fluid and constant change among a user population must be expected. The most appropriate strategy for assessing identity claims should be similarly fluid and dynamic.

Avivah Litan

More information can be found in Litan’s Gartner blog “Our Country has Been Hijacked and Equifax is only the latest casualty” by Avivah Litan.  Gartner clients can read more in the report “Absolute Identity Proofing Is Dead; Use Dynamic Identity Assessment Instead.”

Get Smarter

Security Monitoring and Operations Primer for 2017

Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...

Read Free Research

Equip Your IAM Risk-Based Planning With a Comprehensive Risk Model

Assessment of more than 50 large IAM deployments have shown suboptimal IAM solutions with arbitrary priorities, missing time and budget...

Start Watching

Follow #GartnerSEC

Learn more at the global Gartner Security & Risk Management Summits.

Explore Gartner Events