Posted on Friday, September 15, 2017 in CybersecurityBlog written by Rob Swenson
Excuse me for being skeptical, but I don’t think most businesses take cybersecurity seriously enough. They seem to wait until company networks have been hacked, and the future of the business has fallen into jeopardy.
I say this from the vantage point of a consumer whose personal information has been exposed not once, but in at least two large data breaches.
I was concerned and angered after the first breach, which happened a couple of years ago at Anthem Inc. The second one, the recent Equifax hack, has me even more frustrated.
At the time of the incident, the Anthem hack was one of the biggest and most successful hacks by cyber thieves. It affected approximately 80 million people. It exposed their Social Security numbers and other information, leaving them vulnerable to fraud for years to come.
The Equifax hack appears to be much bigger.
On Sept. 7, Equifax announced a “cybersecurity incident” potentially impacting approximately 143 million U.S. consumers had taken place. Criminals exploited a vulnerability in a website to gain access to files. The breach apparently happened between mid-May and July of 2017. The compromised information includes names, Social Security numbers, birth dates, and addresses. In addition, it also exposed the credit card numbers of 209,000 U.S. consumers.
Don’t these companies learn anything from current events?
I initially was confused when I received a letter from Anthem in 2015. The company advised me that its IT system had been hacked, probably in late 2014, potentially exposing the personal healthcare information of customers.
Here’s what caused my confusion: People thrown into risk by the data breach weren’t just consumers covered by Anthem. Also endangered were the records of customers from companies that Anthem had assisted, including some Blue Cross and Blue Shield plans.
I didn’t even know that Anthem had been managing my records. Management of one of my prior healthcare plans – acquired through a previous employer - apparently had been farmed out. That was upsetting.
I find the recent Equifax breach even more disturbing, however.
The Anthem hack was the reason that Equifax had my information in the first place. After its records were hacked, Anthem offered to provide customers with free fraud-alert service from one of the “big three” consumer credit-rating bureaus: Equifax, Experion or TransUnion. For no particular reason, I picked Equifax. It seemed like the best known of the three options and was a reputable company.
My instincts were wrong. Equifax is a well-known company, but it obviously has not been a good steward of customer information.
Equifax hasn’t officially notified me that my information was exposed. To find out, I went to its website and entered snippets of information. The test indicated the breach probably affected me.
The company reports on its website that the breach has been contained and that the company has engaged a leading cybersecurity firm to do an assessment and provide recommendations to prevent such an incident from happening again.
Obviously, an assessment should have been done years ago, and been implemented and updated regularly since then.
Now, Equifax is offering affected customers free credit monitoring services. I’m having second thoughts about signing up. That might just put more of my personal data out into under-guarded cyberspace.
The point here is that company after company is getting hacked. The time for wake-up calls is over. Protecting electronic assets and sensitive information has got to be a higher priority in executive offices and board rooms across the nation.
After the hack on Anthem, the company advised me to remain vigilant in watching for incidents of fraud and identify theft. That is advice that Anthem obviously should have heeded itself.
Equifax, as a protector and provider of financial information, should have been even more vigilant. After all, it had two more years of experience watching company after company get hacked.
A big part of the future burden falls on consumers, too, of course. We have to be more careful about which companies we entrust with our money and our information.
So, please pardon me if I sound a little bitter. I’m disgusted by companies that don’t take cybersecurity seriously enough, and my wounds are fresh.