An Offensive Defense: Lessons from the Equifax and Marriott Breaches

Static personally identifiable information (PII) is not the answer.

In 2017, credit reporting agency Equifax announced the compromise of the personal data of 145 million U.S. consumers and limited information of residents of Canada and Great Britain, including names, addresses, Social Security numbers and birth dates.

Roughly a year and a half later, Starwood Hotels confirmed its hotel guest database of about 500 million customers was stolen in a data breach, exposing everything from guests’ names and postal addresses to passport numbers and Starwood’s rewards information.

Reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification

“These breaches did not happen in isolation. There are hundreds of ongoing attacks against all kinds of companies, all of which highlight the fact that consumers have no control over their data privacy in today’s information-processing environments,” says Avivah Litan, Distinguished VP Analyst, Gartner.

“One of the solutions being recommended if you think your personal information may have been compromised is to request a credit freeze from all three major credit bureaus to ensure that hackers can’t exploit your stolen information — but my view is that will only protect you from less than 5% of the types of hacks that can happen to you.”

Read more: Focus on the Biggest Security Threats, Not the Most Publicized

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download eBook

How can stolen data be used?

  • It could be sold and resold in the underground.
  • It could be used to update existing stolen identity records, which are already plentiful and abundant, but a bit out of date in terms of phone numbers and addresses.
  • It could be used to take over existing accounts, including bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with Bitcoin wallet holders) and retirement accounts. “This compromised personally identifiable information (PII) data is used by call centers and online systems to verify identities when they are conducting high-risk transactions such as moving money or changing an account’s phone number on record,” says Litan. “So now, armed with the stolen up-to-date PII data, criminals can more easily impersonate their target victims to get into their accounts.”
  • It could be purchased and used by adversarial nation states which have their own nefarious plans to disrupt or steal from U.S. society. Goals can range from disrupting political processes or stealing valuable intellectual property used to manufacture weapon-related systems (e.g., missile defense) to more innocuous missions like pilfering consumer goods’ blueprints for luxury handbags or perfumes.

Read more: Embrace a Passwordless Approach to Improve Security

What should organizations do when it comes to identity proofing and verification?

To begin, it makes no sense to solely rely on static PII to identify individuals a business is engaged with when there is a greater than 50% chance that data is in criminal hands, according to Gartner. Organizations should reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification. Systems based on dynamic non-PII data and behavioral indicators are more able to assess the legitimacy and risk of an identity claim than ones based on static, regulated PII data.

However, a layered identity-proofing approach is always the strongest approach, making it much harder for unauthorized users to compromise an organization’s assets and systems. No singular identity assessment method used on its own is sufficient to keep determined fraudsters out or to verify the legitimacy of an individual identity claim.

Identity assessment is not a one-time event. It must be a continuous cycle that is triggered by an authentication

Blockchain distributed ledger technology is increasingly used for decentralized identity purposes as well. Commonly referred to as “self-sovereign” identity, this technology enables consumers to control their own identity data and release it selectively to whomever they wish. “While the technology is not yet widespread, it is positive to see that we are moving toward this direction,” says Litan.

Fraud, security and business managers’ best bet is using multiple layers of identity assessment processes. Each layer backstops the previous one so that if criminals circumvent one layer, the next one will further deter them. Conversely, each successive layer adds assurance that an identity claim is legitimate.

Read more: The Beginner’s Guide to Decentralized Identity

Bottom line

Identity assessment is not a one-time event. It must be a continuous cycle that is triggered by an authentication or transaction. Organizations can pick and choose which of the layered measures to take based on risk tolerance, identity assurance requirements and cost. Situations are fluid, and constant change among a user population must be expected. The most appropriate strategy for assessing identity claims should be similarly fluid and dynamic.

This article has been updated from the original, published on September 11, 2017, to reflect new events, conditions or research.

More information can be found in Litan’s Gartner blog “Our Country has Been Hijacked and Equifax is only the latest casualty” and "7 Lessons from Marriott Starwood breach and what Mueller teaches us.”  Visit the Gartner Digital Risk & Security hub for complimentary research and webinars.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching