The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name. This crass, callow, and lazy treatment of our digital data cannot stand. Equifax – and every company that dumps data like an airplane toilet dumps chunks of frozen urine – must face a reckoning.
First, we cannot allow our most precious data to be accessible via the last four digits of our social security number. Any new company that does this should be shut down. Once I tell a customer service representative the last four digits of my SSN – I just did it a moment ago with an insurance company and it sprang open my personal data like a cheap padlock – I’ve lost all security. That CSR can use my data. Someone can overhear my weak PIN. What’s worse, I use that PIN everywhere. Entering my SSN into a random form field on some well-meaning site means I’ve essentially written the password to most of my personal data on a busy highway overpass. These places are that insecure.
We must look outside the US for leadership. Estonia, for example, has already released a number of solutions to this problem including a cryptographically secure ID card. This card connects to our computers and unlocks our data. Without it no one can access our data. An even easier solution could include government-provided 2-factor ID generator. These are cheap and portable and rugged and far more secure than any static number. Further, we must also outlaw SMS two-factor authentication. In fact, thanks to the data stolen from Equifax, that process can be easily broken by (you guessed it) telling a CSR the last four digits of our Social Security Number.
Ultimately we must hold these companies accountable. Target loses your data? Don’t shop at Target. Trump Hotels dumps your credit cards for the third time in two years? Maybe AirBnB is for you. Equifax dumps your social security number? Don’t depend on their data for your products.
We must create new, secure methods for cryptographically securing our data. We must make it so that a hacker with a fast connection and knowledge of the tar command cannot drag our data off of a secure server.
Equifax, for its part, has all but given up. Their security site – a site where you type in the last six digits of your SSN and your last name to see if you’ve been hacked – seems to be down and/or attacked by phishing scammers. This kind of technical incompetence is disgusting.
Mistakes happen. Unfortunately, they tend to matter more at the very organizations where time, ineptitude, and complacence have reduced data security to a tertiary concern, well under “deciding what’s for lunch” and “increasing shareholder value.” These old organizations – Equifax was founded in 1899 and hasn’t changed much since inception – must die, to be replaced by solutions that (and I shudder to say this) blockchain-based. I shudder because I know that the dangers to our data are far more expansive if we hand them over to the cryptoratii but, ultimately, this must be the way we go.
There is precedent for this sort of technological shift. Twenty years ago if you told a CTO that she would one day pick a homegrown operating system full of bugs and spaghetti code over Microsoft she would have laughed you out of the office. “No one gets fired for buying Microsoft,” was the old saying. Now if you recommended a Windows installation over spinning up a few Ubuntu instances on Heroku you’d be considered a madman.
In short, it’s time for those who are careless big data to die. It’s up to you, the entrepreneur, to offer true and viable alternatives. Because losing your personal data is awful the first time but when it happens again and again there has to be a better way.
“There’s an old saying in Tennessee,” a wise man once said. “Fool me once, shame on you. Fool me [twice] you can’t get fooled again.”
I, for one, am done getting fooled.
Comment