The past week’s news cycle has been covered by information regarding the Equifax breach. There are rumors on how the breach happens, rumors and accusations (arm chair judge Judy and executioner) about improper stock sales, and a half million class action law suits.
(I exaggerate on numbers)
This post isn’t going to talk about breaches in general, it’s not going to talk about this breach from a technical standpoint… what I’m going to talk about is something different.
If your bank gets hacked, crap, that sucks. If your doctor/insurance gets hacked, crap, that sucks. They’ll sign you up for identity protection, and you’ll forget about it.
The interesting part about Equifax, is that you don’t have an account with them. You’ve never interacted with Equifax, unless your credit score… but guess what? That’s not the information that got stolen.
The data that got stolen, the super important data about your life, was given to them by other entities. Your bank gave them your information. Your credit card company gave them your information. Did you know they did that?
You gave them permission to in your contract, but, did you realize you did? (Of course not, no one reads the fine print!)
Now that you’re ticked off because someone else shared your data, to someone who couldn’t protect it… what do you do?
That’s the way credit reporting and your credit score work. For you to have a credit score, entities have to report to Equifax, Transunion and Experian.
What could have been done? Tokenization.
There’s a concept in security, and more specifically secure data storage and transmission called tokenization. Essentially, a developer trades a secret piece of data (SSN, account numbers, etc) and swaps it for a token. The token can later be swapped back for the initial piece of data if necessary. This is great inside a company, like a bank. Instead of storing a SSN in a operational database, you store the token. The only time you need the SSN could be printing paper that needs it, or filing a legal document.
There’s a challenge with tokenization for credit reporting. Every bank needs to report someone like ME as the same person. Bank A can’t have token 1234 for me, while Bank B reports me as ABCD. They both need to report me as the same. If Bank A and Bank B can both report on me as ABCD1234 then Equifax et al, don’t need to know my SSN. The banks I have a relationship do.
How do we accomplish this? That’s the big big challenge… could be my next billion dollar idea… (yeah, I just gave it away, but, execution is 99% of the challenge)