AU professors offer advice in wake of Equifax breach

Published 11:40 pm Wednesday, September 20, 2017

As thousands try to determine whether they were among those affected by Equifax’s recently reported data breach of personal information, consumers and businesses alike are wrestling with the same question: How do we protect ourselves? These situations are multifaceted and require quick action, according to two Auburn University Harbert College of Business faculty members.

Social Security numbers, driver’s license numbers, birth dates and addresses were compromised, impacting an estimated 143 million consumers from mid-May to July.

“They [cybercriminals] can get your personal information and apply for a credit card in your name without you knowing about it,” said John Jahera, the Bobby Lowder Professor in Finance. “They can do a whole host of things once they get your information.”

To protect yourself against identity theft or other cybercrimes, Jahera first suggested putting a freeze on your personal credit report through the three agencies: Equifax, Experian and TransUnion. “If you freeze your credit report, that will essentially freeze someone trying to gain credit in your name. Virtually every lender will check your credit, so if it’s frozen then they cannot gain access to it,” he said.

“Monitor your other accounts carefully. I check my credit card statements online at least three times per week to see if there are any unusual charges. I check my checking account balances to see if anybody has gotten into my debit card.”

Jahera brought up another personal security risk: tax filings. “I am afraid that what we will see next tax season is more returns filed fraudulently,” he said. “With so many records being hacked, you can almost believe that somebody is going to have their tax returns filed fraudulently. There’s not a whole lot you can do until that happens, but people have to be prepared to prove who they are.”

But how can organizations make themselves immune from future cyberattacks? They can’t, entirely.

“This is a point that a lot of folks fail to grasp–there is no system immune to attack and compromise,” said Casey Cegielski, professor of information management systems and co-author of a number of data security-related research papers. “All systems have vulnerabilities that can be exploited.”

While Cegielski noted that most credit-monitoring organizations like Equifax already engage in a proactive stance toward cybersecurity, he said, “Active testing, persistent monitoring and ongoing remediation are all generally accepted practices that help reduce the likelihood of occurrence. The threat landscape is in constant flux and thus, organizations must actively monitor their exposures.”

Instead, a variety of news agencies reported that last spring cybersecurity professionals discovered a vulnerability that could allow hackers into the Equifax network and created a patch to resolve the issue.

The cyber security problem isn’t going away any time soon. Cegielski believes there will always be a “residual risk of a threat finding a vulnerability” in a system.

“Organizations must work to minimize the impact of that occurrence,” he said.

“In today’s systems environment, this is difficult with the vast scope of interconnect systems that support complex processes.”

The threat isn’t exclusive to credit bureaus, Cegielski said. Online shopping, for example, poses a major risk.

“A major online retailer has a web-based sales system connected to financial transaction processing systems that are also connected to real-time inventory systems–which are linked to logistics and shipping systems that are all accessible to customers and suppliers,” he said. “These systems share data from a common data warehouse. To get access to sensitive data related to customers, only one of those interconnected systems needs to be compromised.

“The problem now is cycle times. Threat agents are developing new forms of attacks faster today than at any previous point in time. One thing that all organizations need to do is plan to fund the security better. Too many organizations do not have adequate resources to address their current need for security.”

Security breaches create multiple threats for affected organizations. Beyond reputational damage, there is the prospect of class-action lawsuits or investigations of possible negligence.

“Equifax will suffer. Equifax will lose business,” Jahera said. “A number of big banks that use Equifax as a credit-reporting agency are considering switching to Experion and TransUnion. If you apply for a bank loan, they don’t use all three. They have a preferred agency. There will be a direct impact on their bottom line in the short run and maybe the long run. The only thing they can do at this stage is try to make sure that they review all of their systems to have the proper safeguards against this happening again and communicate with the millions of customers to the highest degree possible.”