Does data protection still matter?

Yesterday Equifax (you know the folks that sell credit monitoring services) announced that they were breached.  143 million Americans (or 44% of all Americans) had their personal information exposed.

The 143 million Americans exposed by Equifax, the 22 million exposed in the 2015 OPM breach, the 1.5 billion records exposed by Yahoo would seem to indicate that there is no data left to breach.  The chickens are out of the henhouse.  So where do we go now?

Security is a series of layers.  Physical protection, perimeter protection, system protection… Preventative, detective, and corrective controls… Compensating controls for when any of those fail.  Security is hard.  It is easier to tear something down than to build something up.  The time I spent breaking into systems and networks was a lot easier (and more fun) than the time I spent trying to protect them.

So do the victims get a free pass?  No!  Because they aren’t the victims, we are.  The information that is lost is ours.  We entrust our personal information to these companies – in the case of Equifax and the other credit reporting companies we don’t have much say in the matter.  They have a duty to protect our information from the threats we know are out there.

They need to do the hard work.

Hey, the good news is that Equifax is offering credit monitoring services for the people affected by the breach of their own systems.  That certainly makes me feel more secure.