In the wake of the hacking last week of U.S. consumer credit reporting agency Equifax Inc., security experts bemoaning are calling for big changes, including big penalties for the data brokers that hold so much information critical to everyone’s financial life.

“For far too long, businesses have under-invested in software integrity, relying on network-based defenses that are incapable of protecting many exploit vectors, including those associated with open source security defects,” Wayne Jackson, chief executive officer of Sonatype Inc., told SiliconANGLE. “The Equifax breach and loss of 143 million records (including mine) serves as a painful reminder of why every link in the software supply chain must be automatically and continuously managed. To do otherwise is simply negligent.”

In a disturbing development, Equifax has come under fire for requiring customers to agree to a mandatory binding arbitration should they wish to secure their credit records following the hack — essentially negating their ability to join a class action lawsuit against the company.

“Equifax adds insult to injury by requiring consumers to waive their rights to a day in court and accept mandatory binding arbitration in order to take advantage of the company’s free year of credit monitoring,” John Breyault, National Consumers League vice president of public policy, said in a statement sent to SiliconANGLE. “Cybersecurity experts estimate that the effects of this breach may be felt by consumers for decades. Consumers who choose to take advantage of Equifax’s credit monitoring in response to this breach should be sure to read the fine print carefully to find out how to opt out of these outrageous arbitration clauses.”

Others believe that the hack should serve as a warning to others.

“As a larger company, Equifax most likely spent a lot of money, time and resources securing their customer data, and yet they still fell victim to a massive attack,” said Steve Groom, director of cyberdefense at managed-services provider Proficio Inc. “Everyone should pause and ask themselves: is my enterprise doing enough? Organizations must evolve their cybersecurity programs at a faster pace, and employing security service providers (where necessary) can be one way of doing so. Security programs must also be continuously tested, so an annual red team assessment with qualified, ethical hackers can be critical in understanding how strong your cybersecurity really is.”

‘All of us suffer’

Jeremiah Grossman, chief of security strategy at SentinelOne Inc. takes it even further. “The biggest takeaway from this is that we’re all at the mercy of third-party data brokers. There are potentially thousands of organizations, both large and small, that are custodians of our personal information, that we are not customers of, that we have no control over, may not even know exist, and where we have limited recourse. So when they get hacked, it’s all of us who suffer.”

Grossman said very few of the breaches were unexpected, so there are concrete measures to prevent, detect and fix them.

“To correct the situation, we’re going to need a combination of government assistance and a change in our social norms,” he said:

1) A unified and national breach disclosure law.
2) Data custodians being legally finally liable for data breaches — similar to Europe’s pending General Data Protection Regulation.
3) Customers of products and services, particularly purchases of security and software, need to demand warranties from their vendors.

For those affected by the hack, Chester Wisniewski, principal research scientist at Sophos Ltd., offered the following advice. “Consumers should immediately go to https://www.equifaxsecurity2017.com and take advantage of the credit monitoring being offered. The information has been in the hands of criminals for more than six weeks already, so time is not on your side.  While the monitoring is often of little value, it is worth signing up for. Consumers should take note of whether the service has an automated renewal requirement to avoid unexpected charges once the free year is complete.”

Other experts, noting that the Equifax site itself may not be secure nor accurate enough, suggest simply assuming your information got stolen, and go to the next step: Have a credit “freeze” applied to their accounts to prevent new credit from being issued without their permission. More information is available from the US Public Interest Research Group.

Image: Pixabay