The Equifax Data Breach in USA is considered one of the most severe data breach of all times. For records, it is said that the largest data breach in terms of records compromised was Yahoo data breach with 1 billion compromises and the next was MySpace data breach involving 360 million accounts. But the nature of data that has been compromised in Equifax incident makes it the most severe in terms of the consequences.
Equifax has admitted a breach to the extent of 143 million accounts of US citizens and there could be more in UK and Canada. It is therefore the third biggest in terms of data breach numbers and could climb higher.
Equifax is a credit rating company and holds records of not only its direct customers but also other members of the public who might have never directly interacted with and given consent for sharing any of their personal or sensitive personal information. The 143 million number may reflect its client base and actual data breach in terms of numbers could be far higher.
The type of information that Equifax held in respect of different persons could vary from personal information such as Name birth dates, addresses, Social Security Numbers, Driving license numbers etc. Being a credit monitoring company, Equifax collected vast amount of financial information from consumers without their knowledge. Associated information such as the Credit card data is also suspected to have been compromised in thousands of cases.
In the light of the information available in public we can look at what lessons we can draw in India from this data breach.
CIBIL is under similar Risk
The Indian equivalent of Equifax is “CIBIL” and similar agencies like Experian India, Credit mantri. According to Bankbazaar.com, equifax also operates in India. We should brace ourselves for a similar breach in India where the sensitive information with CIBIL may one day be breached.
In India credit rating agencies initially started with CRISIL and CARE which focussed on rating of Corporate securities and Fixed Deposits of NBFCs. CRISIL and CARE learnt their trade by experimenting their credit rating systems against the NBFC industry in India and can be historically held accountable for one of the worst financial disasters in India with the failure of CRB capital Markets and subsequent developments that caused an upheaval in the NBFC market.
The undersigned was one of the early proponents of personal credit rating mechanism but at that time, only First Leasing Ltd headed by Mr Farouk Irani was speaking of Personal Credit rating. It is a tragedy that today Mr Farouk Irani is in deep trouble and under ED investigation but the fact that he was one of the early thought leaders in the field of Personal Credit Rating in India has to be acknowledged. The undersigned was however trying to convince the Shriram Group with a wide spread presence in the personal lending sector through their “Chit Funds” to enter the field of Personal Credit Rating but could not succeed. After nearly 15 years, we are now into the era of the foreign Credit rating agencies including Equifax.
There are a few of this new generation agencies which profess to make credit assessments through social media activities of individuals and in the process collect large volumes of personal data. CIBIL is a little more civilized since it directly collects data from the Banks and lenders under the RBI patronage and hence need not scan the social media for information. The accuracy of data with CIBIL is debatable but it is perhaps still a good reference point for most lenders.
Going by the history of how Indian Credit rating agencies have developed, it is not unrealistic to expect that CIBIL data is today accessible through hundreds of service providers and not all of them will be as secure as they should be and hence the possibility of data breach from Indian credit rating agencies is very much possible. Just as Aadhaar data was easily accessible through many e-hospital portals, CIBIL data is accessible through many Apps and portals which can be compromised by hackers to extract sensitive data. Hence a repeat of Equifax incident in India with CIBIL can be expected. It will at least be a “Risk” that CIBIL needs to patch.
One of the mistakes that we are making in India is to create an integrated frame of data reference through Aadhaar and PAN as well as UPI and GST. These strategies have resulted in a single interface which if breached can expose a billion data sets. Had the data been distributed some on aadhaar number, some on PAN number and some on Bank account numbers etc, then breaches would have been contained in individual silos. Government in a bid to manage the information, has used a strategy to integrate all sensitive data using a single user ID such as Aadhaar instead of silently working behind the scenes to integrate the data bases in the back end.
This wrong strategy has created a higher risk and a greater incentive for hackers
Privacy Risk back in debate
The Equifax data breach has indicated that in such cases, the sensitive personal information gets leaked from agencies which were never given a consent to collect such information in the first place. In the context of the debate on “Privacy is a Fundamental Right” it is a moot point how CIBIL’s activities may be questioned in the coming days in India.
Inadequacy of Cyber Insurance
The Equifax incident also throws up the inadequacy of Cyber Insurance for such organizations since the cost of the breach such as providing notices to 143 million persons, providing free credit monitoring to persons who have lost credit card information and suffered consequences of identity theft with the compromise of social security numbers etc will run to a billion of dollars as against the US $ 100-150 million dollar insurance that the company now holds.
Insider Trading possibility
The share prices of the company has come down by 14% after the incident and one need not be surprised if the company folds up and goes bankrupt. It is interesting to note that some of the executives of the Company are reported to have sold large chunks of shares just before the breach which indicates a possible insider trading. This could also indicate internal dissensions that could have led to the breach though for records Equifax attributes the breach to some vulnerabilities in the “Open source Struts Software distributed by the non profit Apache Software Foundation”.
We all know that in all cases of data breach there is a gap between the recognition of data breach within the Company and its confirmation and disclosure. If the company is a listed company, during this period many persons within the company will have sensitive corporate information that has not been reported to the stock exchange and hence constitutes a breach of stock market obligations.
At the same time if the executives start trading on the stock markets, it will constitute insider trading.
It is therefore essential that under the Information Security policy, a listed company should mandate that no member of the internal team who is aware of the breach shall trade the shares in the market.
It is also interesting to note how Equifax has responded to the incident through their website which is an indication to Indian Companies who often flounder when faced with major PR disasters.
Equifax.com now redirects to the personal section where a prominent mention has been made
on the incident and a redirection is provided to a new site equifaxsecurity2017.com
In this website full details of the developments are provided and this forms a public disclosure of the breach incident. It also provides for checking the potential impact against a social security number.
At this point of time we are not aware how Equifax is addressing the possible breach of persons who are outside USA. It is also now known if their data has also been breached.
The equifax breach affecting the social security numbers through a user organization is exactly what we in India have faced and will continue to face regarding the breach of Aadhaar data in India.
The reality is that when you allow data to be used by a number of users (Data really exists for this purpose and this cannot be avoided) and they can also store the data extracted from a central source, we cannot always ensure that the security cannot be breached at the user’s end where the data from the central source is stored. Most of the time The leaked data cannot be distinguished as to the source of the leak and hence the central data base has to face the public spat.
Since the media persons donot understand the intricacies of data usage, they always blame wrong persons for the breach and Police tend to follow the media trial. In the process citizens always get incomplete and inaccurate information of the incident and its impact.
Data Protection Act
The problem with the Aadhaar data base in India is that it is linked to the biometrics and hence once the data is leaked, the privacy value of the data is lost for ever. Even in the USA, with the leak of the social security numbers associated with the equifax set of data, when used with other biometric data bases could mean permanent loss of Privacy for all the affected victims.
Under the present circumstances all around the world where “Privacy” is linked to “Personal Information” stored by millions of intermediaries and the possibility of large scale data breaches, it is futile to believe that “Right to Privacy as Right to control how the personal information in data form is to be used” really exists.
The Government of India is now trying to form a “Data Protection Act” and the Minister aims at meeting global standards of data protection in India through this Act. But if the global standards of data protection is indicated by what happened in Equifax, it is clear that we are chasing a dream that cannot be fulfilled.
It is better that both the Government and the Supreme Court realizes that “Data Protection” is a good faith, best effort and the focus cannot be on “Data has to be protected in such a manner that it cannot be breached”.
On the other hand if we focus on “Data Trading” as a concept and declare “Data as a Property” which the individuals can trade, at least we will not be misleading the public that “Data Protection” and “Privacy Protection through Data Protection” can be implemented in India to the extent they believe it should be.
Once this concept of “Data Trading” is accepted in law, we may be able to legitimize “Data Pseudonomization” as a business proposition and the concept of “Regulated Anonymity” can actually be put in practice.
At present, the Srikrishna Panel on data protection is unlikely to be considering any such proposal and hence the Data Protection Act which will follow may miss an opportunity to pursue realistic data protection regime in India.
In our opinion, there is no practical use in simply repeating the words
“Privacy is a Fundamental Right and Personal Data Protection is a constitutional obligation of the Government” which should be translated into a Data Protection Law”
Instead of beating round the bush we must accept that Data cannot be protected for ever and we need to plan the data protection act with a declaration in the preamble that
“Data Protection is a journey in which the goal will never be reached and hence the law aims at providing only a framework for responsible data sharing with the consent of the data subjects and providing for legal remedies for breach”.
The law may therefore in effect not be a “Data Protection Act” but a “Data Breach Act” or “Data Breach Protection Act” whatever may the title assigned. It should incorporate all the lessons that Equifax teaches us along with other similar experiences.
Any other expectation is hypocrisy.