Just like the ongoing debates among forecasters in recent weeks about the relative size of Hurricanes Harvey and Irma, the scale and implications of this
latest breach involving Equifax
are enormous despite the fact that it might not register as "the" largest breach ever. Yes, there have been larger incidents (e.g.
Yahoo's breach of nearly 1 billion
account records) but the size of this one – while troubling – is not the main reason it is newsworthy.
This event becomes "newsworthy" since it now effectively means that:
Attackers can now open new accounts more easily. Whether it's a financial account or otherwise, the credentials that most organizations require for new account opening are now barely relevant for roughly half of the US population.
Common consumer-related authentication problems will exist for a long time. The credentials stolen can be used to attack and to manipulate so many different types of accounts (financial, telco, utilities, etc.). This means that the implications of this attack go far beyond the financial services world.
Don't just think about the online world. They also going beyond the online world, as these credentials are used to prove who you are to a call center agent, to a store clerk at a wireless store (e.g. when upgrading a device), and also of course online.
Consumers don't have an obvious outlet: Who is a consumer going to report this breach incident to? Equifax (and its competitors) are basically the last line of defense when a US consumer wants to do something to mitigate possible identity theft. Who are US consumers supposed to hire to help them figure out identity theft-related problems?
This breach poses enormous problems to US regulators, US consumers, and US businesses. The very fabric of how "The Average American Consumer" proves who they claim to be has been turned on its head if the credentials that were supposedly stolen prove to truly have been stolen.
Accepting this new normal, and then actually doing something about it, is going to be an issue that we as a society will continue to deal with in the coming years. Barring any significant regulatory, business, or technology change (which for a country of more than 300 million people is hard to fathom would happen quickly), the direct and indirect associated problems stemming from this breach will probably live on longer than most other breaches we've seen in the past few years.