The Equifax Data Breach Shows the Limitations of How Our Data is Stored

Desktop, mobile and internet of things systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.

learn more about George Avetisov

By George Avetisov

Shutterstock

Opinions expressed by Entrepreneur contributors are their own.

Equifax has now joined the growing list of mass credentials breaches that erode the trust we instinctively place in the service providers we rely on to access our connected world. Desktop, mobile and internet of things (IoT) systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.

If you remember the U.S. Office of Personnel, LinkedIn, Yahoo and now Equifax data breaches, one of the major things they share is the centralization of sensitive customer data.

Related: Equifax Breach Potentially Impacts 143 Million U.S. Consumers

The cost of how to balance security and usability always drives how enterprises manage identity, and the way they store customer data. Marketing intelligence may improve a service, but relying on centralized databases remains an Achilles' heel whose mark seems to get hit too often.

Using a centralized authentication model, a user logs in with a PIN, password or biometric template that is matched against a library of all users' information. This is the most common way enterprises manage identity. The biggest risk is that having to store all that personalized data means it has to be secured. Any central server containing such a large repository of information naturally becomes a target for hackers.

Making the shift from a centralized approach

Decentralized authentication inverts the process and provides a vastly more secure option for both the enterprise and the user. Instead, information is matched against an encrypted template locally stored on a user's device. That sensitive personal information is never transferred or stored. Instead the enterprise service provider only receives a "token" consisting of a random numeric string that assures the user is who they say they are. The enterprise, in turn, bears less risk of holding sensitive information.

Related: Cybercriminals Are Targeting Small Businesses That Don't Take Cybersecurity Seriously

Decentralized authentication places the power to manage one's identity back in the hands of those to whom it belongs, its owners. It also greatly modernizes the enterprise landscape and disrupts the hacker business model of exploiting large payloads of credentials to sell on the dark web. Forcing a hacker to go from device, to device, to device in the hopes of obtaining one user's credentials is a completely un-scalable economic model.

Moving to the decentralized model will greatly reduce the potential of a mass credentials breach like Equifax, Yahoo, Home Depot and the U.S. Office of Personnel. While not every solution is guaranteed, a fundamental shift in the authentication model can truly keep valuable information like personal credentials from walking out the door.

Why Equifax was unprepared for a breach

As for further details on Equifax, it looks like the attack was most likely due to an unpatched version of the open-source Struts web application framework, which enterprises use for creating web applications. A vulnerability was identified in this framework several years ago and fixed, but it doesn't look like Equifax applied that fix to its web application. Enterprises must do better to ensure their security practices include simple, but regular maintenance and timely updates of third-party libraries. Additional layers of security should also be deployed for web applications where proper separation of concerns is implemented. Subsets of critical data should only be made available to any particular web application service.

Related: The Simple Trick to Making an Easy-to-Remember and Nearly Impossible-to-Hack Password

Furthermore, continuous monitoring needs to be the norm for security critical systems where remediation actions are automated. The attempt to suddenly export millions of data records should have been flagged and acted upon automatically to prevent such an attack, regardless of the fact that Equifax was using an un-patched version of the Struts framework. The Equifax hackers exported millions of user records in a very short period of time. Accessing such a large number of records is probably not a very uncommon event within that application. Therefore, it should have been flagged and automatically prevented by the firm's security tools (if it had them).

Proactive security solutions means rethinking the whole vulnerability model. A proper solution combines the most innovative, if unconventional, ways of approaching how services are provided, and the automation that comes from monitoring them. If enterprises like Equifax don't want to lose data that they don't have to hold, they need to work to ensure they no longer hold it. There's a better way to secure our connected world than having to hold information whose loss might harm the economy, individuals and our trust in the technology landscape we all love. It's a trend one would rather see, than hear about another mass credentials breach.

Related Video: A Genius Former Hacker Explains How to Keep Your Business Safe From Cyber Attacks

George Avetisov

CEO and co-founder of HYPR Corp.

George Avetisov is the CEO and co-founder of HYPR Corp., provider of secure and decentralized biometric authentication for the internet of things. As a repeat entrepreneur, Avetisov has focused on ecommerce security, specializing in fraud and identity for a decade.

Related Topics

Editor's Pick

Everyone Wants to Get Close to Their Favorite Artist. Here's the Technology Making It a Reality — But Better.
The Highest-Paid, Highest-Profile People in Every Field Know This Communication Strategy
After Early Rejection From Publishers, This Author Self-Published Her Book and Sold More Than 500,000 Copies. Here's How She Did It.
Having Trouble Speaking Up in Meetings? Try This Strategy.
He Names Brands for Amazon, Meta and Forever 21, and Says This Is the Big Blank Space in the Naming Game
Business News

These Are the Most and Least Affordable Places to Retire in The U.S.

The Northeast and West Coast are the least affordable, while areas in the Mountain State region tend to be ideal for retirees on a budget.

Thought Leaders

The Collapse of Credit Suisse: A Cautionary Tale of Resistance to Hybrid Work

This cautionary tale serves as a reminder for business leaders to adapt to the changing world of work and prioritize their workforce's needs and preferences.

Business Solutions

Learn to Build a ChatGPT Bot for Only $30

If you want to see what AI can do for your business, grab this course bundle today.

Health & Wellness

5 Essential Steps to Expand Your Vision and Start Living Your Dream Life

It's time to break free from your comfort zone and expand your vision. When you refuse to settle for a mediocre life, you can start building a life you love.

Business News

I'm a Former Google Recruiter. Here's How to Land a Job in Tech — and What Can Blow Your Interview

A former Google recruiter says layoffs may be trendy, but tech workers are always needed. Here's how to land a job at a major tech company.

Business News

The 'Airbnbust' Proves the Wild West Days of Online Vacation Rentals Are Over

Airbnb recently reported that 2022 was its first profitable year ever. But the deluge of new listings foreshadowed an inevitable correction.