If recent hacking attacks such as the one at Equifax, which compromised personal data for about half of all Americans, have taught us anything, it’s that data breaches are a part of life. It’s time to plan for what happens after our data is stolen, according to Rahul Telang, professor of information systems at Carnegie Mellon University.
Companies are prone to understating the scale of hacks, which suggests that there needs to be better standards for disclosing breaches. Yahoo recently confessed that its data breach actually impacted 3 billion user accounts, three times what it disclosed in December. Equifax also boosted the number of people it says were affected by its hack.
The data stolen at Equifax was highly harmful for consumers, compounded by what Telang says was an incompetent response from the company. Equifax first disclosed its data breach on Sept. 7 and says it discovered the unauthorized access on July 29. The firm, which collects data on 820 million consumers and more than 91 million businesses worldwide, said it was concerned about “copycats” breaking into its systems, an excuse disputed by experts, according to the Financial Times (paywall).
As Telang sees it, a determined hacker is probably going to succeed, yet there’s far too little focus on limiting the damage. Credit freezes could be automatic, and wherever possible data could be aggregated to protect individual identities and private information. The types of fraud-protection services that Equifax sells to customers could be made available to victims as a default.
Government intervention may be necessary, as consumers are vulnerable to the credit raters’ mistakes but have little choice but to accept their role in finance. Consumers aren’t really customers for Equifax—the company makes money from banks and credit card companies that buy data from it.
US senator Elizabeth Warren has said she wants to see the consumer credit rating industry—which is more lightly regulated than banks and credit card companies—completely overhauled. “The incentives in this industry are completely out of whack,” Warren said at a hearing. Equifax “could actually come out ahead.”
Government intervention may also be needed because companies like Equifax, Experian, and TransUnion aren’t in a particularly competitive industry. They benefit from what economists call “network effects,” meaning the bigger they become, the more financial firms are willing to share data with them, making their services more attractive to buy, according to Telang.
Even vaunted financial technology startups are unlikely to shake up the sector. While newer firms may have better machine-learning technologies or make use of alternative data sources to enhance their algorithms, Telang says their techniques can be copied, and Equifax probably has more data than they do anyway.
“This market has a propensity to consolidate around a few large firms,” he says. “One firm having a lot of data can produce more insight than lots of firms that have less data.”
And when valuable data is collected by a few firms, it makes them all the more attractive targets for hackers.