Get All Access for $5/mo

The Equifax Data Breach Shows the Limitations of How Our Data is Stored Desktop, mobile and internet of things systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.

By George Avetisov Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Shutterstock

Equifax has now joined the growing list of mass credentials breaches that erode the trust we instinctively place in the service providers we rely on to access our connected world. Desktop, mobile and internet of things (IoT) systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.

If you remember the U.S. Office of Personnel, LinkedIn, Yahoo and now Equifax data breaches, one of the major things they share is the centralization of sensitive customer data.

Related: Equifax Breach Potentially Impacts 143 Million U.S. Consumers

The cost of how to balance security and usability always drives how enterprises manage identity, and the way they store customer data. Marketing intelligence may improve a service, but relying on centralized databases remains an Achilles' heel whose mark seems to get hit too often.

Using a centralized authentication model, a user logs in with a PIN, password or biometric template that is matched against a library of all users' information. This is the most common way enterprises manage identity. The biggest risk is that having to store all that personalized data means it has to be secured. Any central server containing such a large repository of information naturally becomes a target for hackers.

Making the shift from a centralized approach

Decentralized authentication inverts the process and provides a vastly more secure option for both the enterprise and the user. Instead, information is matched against an encrypted template locally stored on a user's device. That sensitive personal information is never transferred or stored. Instead the enterprise service provider only receives a "token" consisting of a random numeric string that assures the user is who they say they are. The enterprise, in turn, bears less risk of holding sensitive information.

Related: Cybercriminals Are Targeting Small Businesses That Don't Take Cybersecurity Seriously

Decentralized authentication places the power to manage one's identity back in the hands of those to whom it belongs, its owners. It also greatly modernizes the enterprise landscape and disrupts the hacker business model of exploiting large payloads of credentials to sell on the dark web. Forcing a hacker to go from device, to device, to device in the hopes of obtaining one user's credentials is a completely un-scalable economic model.

Moving to the decentralized model will greatly reduce the potential of a mass credentials breach like Equifax, Yahoo, Home Depot and the U.S. Office of Personnel. While not every solution is guaranteed, a fundamental shift in the authentication model can truly keep valuable information like personal credentials from walking out the door.

Why Equifax was unprepared for a breach

As for further details on Equifax, it looks like the attack was most likely due to an unpatched version of the open-source Struts web application framework, which enterprises use for creating web applications. A vulnerability was identified in this framework several years ago and fixed, but it doesn't look like Equifax applied that fix to its web application. Enterprises must do better to ensure their security practices include simple, but regular maintenance and timely updates of third-party libraries. Additional layers of security should also be deployed for web applications where proper separation of concerns is implemented. Subsets of critical data should only be made available to any particular web application service.

Related: The Simple Trick to Making an Easy-to-Remember and Nearly Impossible-to-Hack Password

Furthermore, continuous monitoring needs to be the norm for security critical systems where remediation actions are automated. The attempt to suddenly export millions of data records should have been flagged and acted upon automatically to prevent such an attack, regardless of the fact that Equifax was using an un-patched version of the Struts framework. The Equifax hackers exported millions of user records in a very short period of time. Accessing such a large number of records is probably not a very uncommon event within that application. Therefore, it should have been flagged and automatically prevented by the firm's security tools (if it had them).

Proactive security solutions means rethinking the whole vulnerability model. A proper solution combines the most innovative, if unconventional, ways of approaching how services are provided, and the automation that comes from monitoring them. If enterprises like Equifax don't want to lose data that they don't have to hold, they need to work to ensure they no longer hold it. There's a better way to secure our connected world than having to hold information whose loss might harm the economy, individuals and our trust in the technology landscape we all love. It's a trend one would rather see, than hear about another mass credentials breach.

Related Video: A Genius Former Hacker Explains How to Keep Your Business Safe From Cyber Attacks

George Avetisov

CEO and co-founder of HYPR Corp.

George Avetisov is the CEO and co-founder of HYPR Corp., provider of secure and decentralized biometric authentication for the internet of things. As a repeat entrepreneur, Avetisov has focused on ecommerce security, specializing in fraud and identity for a decade.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Side Hustle

'Hustling Every Day': These Friends Started a Side Hustle With $2,500 Each — It 'Snowballed' to Over $500,000 and Became a Multimillion-Dollar Brand

Paris Emily Nicholson and Saskia Teje Jenkins had a 2020 brainstorm session that led to a lucrative business.

Business News

'I'm Not Trying to Land on Mars': Mark Cuban Takes Dig at Elon Musk to Explain Why His Online Pharmacy Isn't Trying to Make More Money

Mark Cuban Cost Plus Drug Co. is an online pharmacy co-founded by Cuban and radiologist Alex Oshmyansky.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

'It's Not About You': How to Fire Someone Effectively, According to Kevin O'Leary

O'Leary says that if you can't fire someone, you aren't the right leader for the organization.

Business News

Meta Makes $1 Million Dollar Donation to Donald Trump's Inaugural Fund

Meta CEO Mark Zuckerberg also reportedly gave Trump a pair of Ray-Ban Meta smart glasses.

Marketing

Your Most Powerful Marketing Weapon Is Hiding in the Finance Department — Here's Why

Transform your marketing leadership by turning finance from a barrier into a strategic ally. Learn how aligning with your finance team can drive unprecedented growth and innovation.