informa
/

How Should Data Brokers and Credit Bureaus Be Protecting Your Data?

The largest stewards of personally identifiable information have poor cybersecurity records. What have they learned from previous breaches?

Your data is out there. There’s no way around it. Unless you don’t use the Internet and make purchases exclusively in cash, companies have information on you and are probably using it to make a profit by selling it to marketing agencies. Even if you are living off the grid, credit bureaus and data brokers still possess troves of sensitive personal information -- and there isn’t much you can do.

Sloppy data management practices have resulted in breaches affecting millions and billions of consumers. Credit bureau Equifax’s 2017 data breach, for example, exposed Social Security numbers, names, and birthdates of nearly 147 million people, as well as millions of drivers’ license numbers, email addresses, and phone numbers, and about 200,000 credit card numbers.

The company was accused of a slow and inefficient response to the attacks -- a finding consistent with data breaches in general.

“Most companies are handling data leaks very slowly,” says Asif Savvas, co-founder and CPO of Simeio, a global identity security services provider that works with data brokers and other data-intensive organizations. “Because many data brokerages, marketing companies and credit bureaus employ a reactive, fragmented cybersecurity approach, they lack the convergence needed to identify and remediate threats before data is compromised.” IBM’s 2022 Cost of a Data Breach report finds that on average, it takes 207 days to identify a data breach and another 70 to get it under control.

In the interim, any number of bad actors have access to the exposed data, resulting in a cascade of deleterious effects for consumers.

Breaches at credit bureaus have particularly severe downstream impacts. Because they are themselves the organizations that provide identity protection and identity verification services, breaches there weaken entire security ecosystems -- they weaken the knowledge-based authentication used by many businesses and the identity protection trusted by consumers.

Given the frequency and severity of these attacks, one can’t help but wonder: Are these companies doing anything to improve their stewardship of our data? InformationWeek talked to experts in the field about what these data clearinghouses should be doing to protect our sensitive personal information.

Anonymization & Encryption

Data needs to be protected both when it is at rest and when it is in transit. Ensuring that data is anonymized effectively is a crucial measure -- some 99.98% of Americans could be easily reidentified using simple demographic factors, according to a 2019 study published in Nature by scientists from Imperial College London and Université catholique de Louvain.

Arti Raman knows all too well what happens when data isn’t effectively encrypted and anonymized at all points during its life cycle. She and her family were victims of the Equifax breach -- and as a result, suffered a cascade of compromised accounts.

In response, she founded Titaniam, a data security company that makes products to ensure data remains encrypted while it is in use. Using her background in cybersecurity at such companies as Symantec, she devised a series of four solutions in which data remains fully searchable while still anonymized.

“We lean on creating secure indexes. Indexes are how a database does a search,” she explains. “In that way, companies can have massive databases and make sure they're always encrypted. When queries hit those systems, we are able to return the right records without any decryption at all, and the results come back encrypted as well. So, 60–80% of the time, you never need to decrypt your data.”

Restricting Access

Data protection often involves the use of expensive technology and third-party services. But simple organizational changes can have a significant effect as well. One of the most parsimonious steps that credit bureaus and data brokerages can take is to simply restrict who has access to available datasets. Broad access equates to excessive exposure. The IBM report found that at least 8% of attacks originated with a malicious insider. That isn’t good.

“If you restrict who can access what information, you make your company less vulnerable,” says Josh Thill, Founder of Thrive Engine, a web design and development company that works with small businesses. “A data analytics tool's security is only as strong as its weakest link, and each access point represents a potential entry point. A brute-force assault can compromise your entire system if even one account has a weak password.”

Conversely, siloing data can slow down operations significantly -- and create vulnerabilities of its own. “Data silos aren’t only terrible for analysis; they may also leave your data vulnerable,” says Inga Broerman, VP of marketing at billing solutions provider BluLogix. “When information is held in isolated silos, it can't be easily accessed or shared. As a result, it’s common for information to end up in untrustworthy programs. It also increases the risk of misplacing certain data.”

“Data management plans spell out in fine detail who has access to what, and where and how information is stored,” she observes. “That way, you won't have to worry about using a plethora of data-handling tools and forgetting which ones you've already installed.”

“For example,” says Simeio’s Savvas, “a privileged access management [PAM] system might be implemented to ensure only select company executive users are allowed access to a business’s most sensitive customer or client data, while entry-level employees only have access to working documents they need on a daily basis.”

Coordinating Security Tools

The security solutions used by data handlers to protect their precious cargo are often piecemeal and thus more easily compromised.

“Consider the security measures of each instrument in your marketing stack before adding any new ones,” adds Thill. “There can be no assurance that your data will remain safe if the tool isn't foolproof.”

“Their heart is in the right place, because the business might be paying top dollar for individual tools to cover every possible security issue they’re aware of today, but the solutions must speak to one another or a breach can still go unnoticed,” Savvas says. “It’s a blind spot for a ton of businesses who don’t understand the importance of convergence.”

“The best way to do this is via an identity orchestration [IO] platform, which integrates all security solutions into one unified view,” he says. “This makes it easier to see what’s working and what isn’t. It can analyze data in real-time to prompt the company CIO or CISO to investigate any suspicious activity before the system is breached.”

Data Minimization

“Data mapping and enforcement of data protection by design is the key to improving data protection and preventing data breaches. It’s also critical to understand which storage and databases are in use, and which are simply duplications that can be removed and thereby reduce the risk of a leak or breach,” says Uzy Hadad, CEO and co-founder of data privacy startup Privya.AI.

He advises paring down stored data to the absolute minimum necessary to perform necessary tasks.

This trend is in line with what is already required by the European Union’s General Data Protection Regulation (GDPR), which requires that data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Advocates pushing for similar legislation in the United States point out that minimizing data would benefit all parties by decreasing storage requirements and simultaneously reducing exposure to risk.

Consumers Take Action

As data handlers take halting steps toward more responsible data stewardship, some companies are stepping into the breach and offering more immediate solutions. They act as “authorized agents,” sending requests to data brokers and marketing agencies to not sell or to outright delete personal data that they hold.

Domenic Perfetti founded one such company, Freeze. “We simplify the process,” he says. “Some of it is automated. But there's a lot of manual work.”

“Security often comes last,” he laments. “Data brokers go, ‘Okay, how can we fix this later?’”

His job, as he sees it, is to protect his customers’ data from exposure while they figure that out. And, surprisingly, most brokers have been relatively cooperative. Still, what a do-not-sell or delete order may actually mean can get “pretty gnarly” he says. “We'd like to unpack and dig into that.”

Services like those provided by Freeze may nevertheless be the best option for cautious consumers in the near term. Plenty of security options are available to the entities that hold personal data -- but whether they are implementing them is far from certain.

What to Read Next:

What the FTC’s Scrutiny of Data Collection and Security May Mean

Can Data Collection Persist Amid Post-Roe Privacy Questions?

Data Privacy Enforcement Actions Step Up

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing