Here we go again, a massive breach, vague answers, questionable behavior and what can we do to protect ourselves?

What we know so far is:

- Almost half of the US population affected

- Possibly others in UK and Canada

- Info leaked names, SSNs, birthdates and possibly some driver's license numbers

- Three senior executives sold a small percentage of stocks but worth 1.8 million dollars days after detecting the breach and prior to it being reported

- The cause was a website application vulnerability

Initial thoughts:

- Another case of toxic data collection 

- Another possible case of not encrypting or salting the data

- Another case of inadequate protection

- Another possible case of not having effective compliance mandated protections in place

As victims we should demand

An investigation into the stock sale and negating and penalizing that sale. How about:

- At least 4X multiplier for profits they got from selling before the announcement

- A lockdown of at least five years for future sales for those individuals so they can help increase the value of the shares for all afflicted stockholders.

- Demanding they step down for their violations of the law if found guilty

- Demanding they step down during the investigation due to the seriousness of this action

- Barring them from any future executive stock ownership plans for life?

In terms of credit monitoring for all affected victims:

- All victims get free monitoring from all three credit reporting agencies that Equifax pays for

- We need to demand simple ways so that WE are in control of freezing or thawing our own credit records and without any fees involved

About the breach itself

Website application vulnerability what does that mean? I know what it ought to mean, but it's so devoid of facts that it seems to imply deceit. Was the application vulnerable? Was there not enterprise grade vulnerability and web application firewall protection in place? Did they not scan the application itself on regular intervals? Did they not apply patches in a timely manner? Did they run regular penetration testing? Did they not detect a change in data access patterns? All of these except one are mandated by compliance laws. Was the underlying data not encrypted? Was it not salted? So, what did they claim to do and who signed off on the forms and who misrepresented the truth?

What can you do?

Consider placing a security freeze on your records. Not that it's easy to do. 

Stronger passwords, sure, different passwords, sure. I bet you're tired about hearing about weak or strong passwords when they get leaked regardless. It doesn't matter if they are strong or weak when they are stolen in the clear. So, don't reuse the same password is better advice.

Demand two factor, sure (but I even know some banks that try to charge our small business so we can help them protect it). Here's my recommendation... When you get standard security questions, answer them strangely and differently per site. For instance, favorite food might be chair, favorite color might be giraffe, etc. Keep in mind that security questions and answers are being leaked in breaches, that means that just like passwords, reuse is finally being recognized as a threat, so are security questions and answers! Mix it up, because the real danger is that someone else will be able to takeover your own identity and you won't be able to prove you are you and that's a scary thought! Breaches allow thieves to respond better and faster than you if you're not recording your answers and if you're answering the same or in ways that others can guess. 

So, focus on passwords but start focusing more on security questions and answers, change them as often as passwords and respond in a way that guessing becomes impossible.

Closing comments

These big firms just need to end with their access to mountains of data. Any mistake affects too many people. They all get access to substantial subsidies at local and state levels to help them more ... giving them an unfair advantage over small businesses. They get healthcare pool costs FAR below any small business. They inflict greater levels of pain while getting all the breaks. Big size causes even bigger problems. At the very least, we need to hit them with bigger fees and penalties but the money needs to go to the victims directly, not the government or back to us in higher costs. More choices means we don't have to go back to the same places and pay the hidden legal fees for their mistakes.

This is a great example of why protection has to be of higher value than detection. They didn't protect our data adequately and now we have to remain vigilant to detect inappropriate uses of our data. If they don't protect, we have to detect, BUT detection does not offer protection!!! Credit monitoring is not a fix, it is not a protection approach, protection has failed.

Perhaps companies should not be collecting all this data and shouldn't be allowed to store it without our approvals.

I look forward to finding out specifically where their protection failed us.