Gartner Blog Network


Equifax Data Breach: It’s the End of Cybersecurity as We Know It

by John A. Wheeler  |  September 14, 2017  |  6 Comments

As most everyone knows by now, one of the single largest data breaches in history was disclosed last week by the credit reporting giant, Equifax. While most people are rightly focused on the immediate impacts of this breach – personal fraud, credit and identity protections, waivers of right to sue, class-action lawsuits, etc. – few have considered the longer term implications of this event. So, here are three predictions of how the cybersecurity world will change in light of this monumental event.

1. Bankruptcy looms ahead for Equifax

In the last 4 business days since the company disclosed the data breach, Equifax has suffered a $5.3 billion loss in market capitalization which represents almost a third of the company’s total value. When considering an estimate of the potential costs associated with the data breach (based on the 2017 IBM/Ponemon Institute Cost of Data Breach Study), Equifax faces a potential loss of $20.2 billion which currently exceeds their total market value by $8.3 billion. Also, the company currently faces more than 23 class-action lawsuits with at least one seeking more than $70 billion in damages. The death spiral will soon take on greater momentum when executives are required to testify before Congress and criminally investigated for potential insider trading related to the delayed disclosure of the data breach. Equifax will ultimately be acquired out of bankruptcy by one of the remaining two credit reporting companies – TransUnion or Experian.

2. Social Security Number will be replaced by a more secure National ID

The use of Social Security Numbers (SSN) as the primary authentication device for US citizens will be eliminated. What will replace the SSN is anyone’s guess, but it can no longer serve in this capacity since at least half of the nation’s primary method of authentication has been compromised. Perhaps the US will follow Estonia’s lead in creating a true electronic national ID?

3. A federal cybersecurity act will be passed quickly

Attempts at passing federal legislation over cybersecurity have been futile in the past, but all of that will change. Similar to what happened in the aftermath of the Enron and Worldcom accounting frauds, broad reaching legislation will be crafted and passed much like the Sarbanes Oxley Act of 2002. This will occur because the impact of the Equifax breach is being felt by every single American (as well as some Canadians and Brits). Similar to the Sarbanes-Oxley requirement on the certification of internal control over financial reporting, CEOs and other executives will be required to disclose any material data breach upon discovery and personally certify to the effectiveness of their internal control over data security.

These predicted events represent major opportunities for real improvements in the management of cyber-risk and significant growth in the demand for integrated risk management (IRM) technology solutions and services. To learn more about how IRM can help your company, read more at the Gartner Blog Network or subscribe to Gartner to read more of my research on IRM technology solutions.

endofcybersecurity

Category: cyber-risk  cyber-security  cyberinsurance  integrated-risk-management  irm  risk-management  security  trends-predictions  

Tags: cyber-risk-2  cyber-security  cybersecurity  equifax  integrated-risk  integrated-risk-management  

John A. Wheeler
Director, Technology Research & Advisory
6 years at Gartner
26 years IT Industry

John A. Wheeler is a Technology Research & Advisory Director with responsibility for leading analyst coverage of integrated risk management (IRM) technology solutions and professional services. His areas of specialty include operational risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio


Thoughts on Equifax Data Breach: It’s the End of Cybersecurity as We Know It


  1. Robin Horan says:

    As UK resident, how can I check if Equifax had any of my details, and if so what has been disclosed to the hackers?

  2. Peter Cooper says:

    Hi John, good insights, but I have some comments. For the class actions, look at what happened with Target. A measly $10m for consumers, & only if they could prove harm. I suspect that there will be more noise than a real outcome. For the use of SSN as an identifier, the credit card schemes have had plenty of opportunity to improve the way retailers handle cardholder data (& chip + PIN is a good step) but the future of e-tail is card not present & this is where fraud is going. So I don’t see that there is a real incentive for the people who “own” SSN to actually do something differently. As to long term financial damage to the company, let’s wait & see. The majority of companies who’ve had breaches have gone on to be very healthy. Good companies & bad companies have breaches, it’s how they respond that differentiates them. When it comes to cyber security legislation, Nevada & Washington have enacted legislation building on the use of PCI-DSS. The challenge with legislation is knowing what to base it on. I suspect people will debate that for a long time to come. Cheers

    • Thanks Peter for your comments. On the target breach, since it was credit card data that can be changed easily, courts did not view it as a case of real long-term harm. With equifax, SSN will impact everyone for life with no ability to change. So, proof of harm is much easier and frankly unlimited. Hence, the reason for replacing SSN. On legislation, I’m not saying it will necessarily be good or effective. However, politicians will have to do something to placate the voters who are impacted across the board – democrat, republican, libertarian, green, independent, etc. Identity theft is a multi-partisan concern.

  3. Ant Allan says:

    Hey, John.

    I partly disagree with your second point. There’s no need for SSN to be replaced by something “more secure” – as an identification number, a label, a unique name, it’s still just fine.

    The problem, as you note, is that an SSN should not be used for authentication – something Gartner, and others, have been saying for years!

    Knowing my SSN (NI number in my case, since i’m UK based!) no more corroborates that I am me than knowing my name does. (Or knowing my mother’s maiden name – it’s Stockmann, btw.)

    The value of SSN lies in uniquely identifying me and disambiguating me from all the other Ant Allans out there.

    The acceptance that SSN is used for authentication has created the need to treat it like a “shared secret”, which has stopped folks (incl. clients I’ve spoken to) from using it freely where such a unique identifier would be far more useful and robust than home-grown schemes.

    Talking about the Estonian “electronic national ID” also includes an ambiguity which leads to bad practices – the conflation of an “identifier” with an “identity” (both of which are abbreviated “ID”). A new electronic national /identity/ could still use SSN as a person’s /identifier/.

    The real value comes from whatever methods are then used to corroborate that the identity (identified by the SSN) belongs to the person make that claim.

    And that is the hard part. Even some kind of “mobile ID” (“identity”?) using public-key credentials is not going to be the be all and end all.

    /@



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.