When They Ask If You're Encrypting, "I Don't Know" Is the Wrong Answer
Two months after it first disclosed the theft of 145 million consumers' personal information, Equifax is still finding ways to make the story worse.
In the latest round of congressional hearings, Richard Smith, Equifax's former CEO, confirmed that the lack of encryption on the stolen data was not caused by an error or oversight, but by a conscious decision not to encrypt. That decision seems questionable, to say the least, given that the people whose data Equifax lost had essentially no say in whether their information was part of the database to begin with.
As perplexing as Richard Smith's testimony may have been, it was the company's new interim CEO, Paulino do Rego Barros Jr., who provided the day's most difficult-to-believe sound bite.
Colorado Senator Cory Gardner had asked Barros whether Equifax was now encrypting its data in the aftermath of the breach. After two noncommittal answers from Barros, Senator Gardner seemed to lose patience.
Sen. Gardner: "Yes or no, does the data remain unencrypted at rest?"
Barros: "I don't know at this stage."
It wasn't the answer anyone wanted to hear-- not Senator Gardner, not Equifax shareholders, not the hundreds of millions of people whose personal information is still being collected and sold by Equifax and similar companies. The answer did, however, illustrate the fact that many organizations have not learned the simple lesson that encryption is no longer optional.
In an age when hackers can steal terabytes of sensitive information at will, the only acceptable level of data protection is one that prevents thieves and spies from exploiting data after they've stolen it. All sensitive data needs to be encrypted, and the encryption needs to be persistent, meaning that it stays with data whether the data is at rest on a drive, in use on a device, or shared outside a company's network.
As refreshing as it was to hear a politician emphasize the importance of encryption, Senator Gardner could have gone even further. His questions were specifically about encryption for data at rest, which would likely not have changed the outcome of the Equifax breach. Encrypting data at rest can be helpful when a drive or device is physically stolen, but when hackers are able to access data remotely through an application vulnerability (which is nearly always the case), only persistent encryption can prevent them from using the data they steal.
The New Standard
Persistent data encryption is becoming the new standard for cybersecurity because no other approach lets companies prevent the negative consequences of a security breach. Whether sensitive data is exfiltrated after a network intrusion, saved in a publicly-accessible cloud folder, copied by a departing employee, or exposed through some other mishap, persistent encryption keeps it safe from unauthorized use.
If Equifax had protected its sensitive information with persistent encryption, the thieves who broke into the company's network would have stolen 145 million records' worth of unusable data. The intrusion would still have been a cause for concern among the Equifax employees who were supposed to patch the exploited software, but from the government and public's perspective, it would have been a non-event.
As cybersecurity expert Bruce Schneier (who was invited to give a statement in a House subcommittee hearing a week earlier) pointed out, Equifax is only one of several thousand data brokers operating today. These companies collect, analyze, and sell information about millions of people, often without the consent (or even knowledge) of the people in question. Each time one of these companies is breached, it gives consumers another reason to worry about their the privacy and financial security.
Data brokers, financial services companies, retailers, and other organizations can expect to be asked much more frequently whether they're encrypting the sensitive data they collect. Whether the question is being asked by politicians, consumers, or the company's own board members, it should be clear by now that the only acceptable answer is "yes."
PKWARE's Smartcrypt provides persistent encryption for sensitive information across the entire enterprise-- on user devices, file servers, mainframe systems, and more. Find out how Smartcrypt can protect your organization's data today.