It’s very likely that you’ve heard about the Equifax hack by now. If not, here’s the summary: earlier this year Equifax has been hacked, the breach leaving 140+ million people at the risk of their identity being stolen, or at least their credit card details, SSNs, and so on.
Chances are you may actually be among the victims. If not, some of your clients definitely are, whether homebuyers or sellers.
I believe you deserve an explanation to better understand the “why” and the “what now”, both for you as an individual, a potential victim, but also you as a title agent.
Let’s start with the “why”
Several online sources report that Equifax has been using a rather old technology framework. There were security vulnerabilities that haven’t been fixed. This is 2017 and any company still using an MVC framework (like Apache Struts – the one reported as being used by Equifax) is a little “stuck”. About 10 years ago stuck.
This is a common problem with large companies. Their technology stack is usually behind as any kind of change, especially technology changes have to go through a very slow approval mechanism.
However, not fixing security vulnerabilities is a problem, regardless of the technology you may still be using. We’d love to hear from the Equifax CIO on this one, but chances are we won’t hear a thing.
Now that we know the probable cause that allowed the hackers to actually break in, let’s move on.
Ok, you have been hacked. It happens. Nothing is 100% secure. However, just as with a robber breaking into your home, it’s all about the stuff he can get his hands on. I mean, he’ll take your TV, some appliances, but if you keep money and other essentials in the safe deposit box, there’s a huge chance he’s not getting his hands on those and you’re somewhat safe.
With data security it’s the same. There are 3 things to consider when assessing if a system is “safe”:
a. Data in Use – How easy is it for someone to actually impersonate as you and access your account and the data in it?
b. Data in Transit – How secure is the connection between your device and the servers where the data is kept?
c. Data at Rest – Is the data being kept encrypted?
If hackers managed to break their way into Equifax’s servers, the question in my mind is this: Was the data unencrypted, in such a way that they simply got access to all those SSNs and credit card details and everything?
Normally, even if they’d hack into the server, they should have found a bunch of encrypted gibberish that would have made no sense to them without a decryption key.
My guess is that, as with the LinkedIn hack, data (in their case passwords) was stored totally non-secure, un-encrypted, just sitting there, ready for the taking. I may be wrong, but looking at all the articles online, i get this impression.
So yeah … security vulnerabilities that haven’t been taken care of may have allowed hackers to go in, but then, possibly (i am only guessing here), the worst data security non-compliance of all: storing data un-encrypted.
And now, a lesson in PR.
First, it took Equifax months to acknowledge the hack and make it public. Terrible. But not unacceptable. What’s unacceptable is that instead of choosing to maintain their reputation for the long term, they chose to do whatever necessary to mitigate the financial risk.
Meaning … they allegedly set up this service, where you can log in and find out if your data is safe. However, the agreement fine print, once you signed up, is reported to practically state that you are waiving your right to sue them or be part of a class action lawsuit. How convenient!
Anyways, there are many online articles on what to do if you’ve been hacked. So, to you personally, we recommend that you take those steps. Now!
But what we also recommend is actually putting out content as a title agency. Content that will help real estate agents reach out to their homebuyers and sellers and let them know about this breach and what to do about it. Assume a leadership role whenever you get the chance and reap the benefits later on.