How Developing Countries Can Prevent Their Own Equifax Breach

26 October 2017
3 comments

Developing countries have a great advantage when it comes to data security — they can learn from the lessons of developed countries. The recent incident involving the security breach at the American credit bureau Equifax, that exposed the personal information of over 145 million people, provides two important lessons: avoid big databases where possible and give consumers more control over their personal information.

The development of digital financial services has brought millions of consumers around the world into the financial system, offering opportunities to transfer and save money in ways that can improve their lives. But digital finance leaves a digital footprint — lots and lots of data. In some countries, those data are being aggregated into ever-growing databases. Credit bureaus, which collect a huge amount of information on consumers’ past financial behavior, are among those creating such massive databases. And there has been a growing trend to expand the types of information held by these credit bureaus to include nontraditional data, such as the contents of SMS messages and emails, social media and even psychometric test results. In the past, it might have been most efficient for these bureaus to aggregate this information into massive databases. Yet it is obvious that collecting so much sensitive information in centralized locations creates attractive targets for cyber thieves. This is just what happened to Equifax, which despite being on notice of this significant risk, failed to take adequate measures to protect millions of people’s sensitive information.

Children use a computer in rural India

Photo: Sudipto Rana, 2014 CGAP Photo Contest

For developing countries, the first lesson from the Equifax breach is that it would be far better to decentralize personal information, keeping it in the hands of the firms, such as banks and credit card companies, that use it on a regular basis to run their business. Why build and maintain huge databases in a high-speed, networked 21st century world despite the risks? One reasonable answer is that communications facilities in some countries may not be sufficiently fast, pervasive and reliable. Nonetheless, it’s a good time to consider whether decentralization is realistic and plan for it in the future. In a decentralized system, to fulfill a request for someone’s credit report, a credit bureau could poll a network of financial institutions for that consumer’s credit history and compile it into a report. Bypassing the need for huge centralized databases in this way could reduce the vulnerability to hacking and the resulting incidents of identity theft and fraud.

Potential Equifax victims have been encouraged to freeze their credit files to prevent criminals from obtaining credit in their names. Unless the freeze is lifted, creditors will be unable to access the victim’s credit report. Believe it or not, in some cases in the United States, consumers must pay the credit bureaus not to give out their information without their consent. It’s time to put consumers in charge of who can access their information.

India provides a lesson about how this can be done. India Stack is a collection of tools that are being used to bring more Indians into the financial system. A key component is the “digital locker,” which allows people’s records, such as birth certificates, driver’s licenses and bank statements, to be kept in a secure environment. Individuals can then authorize access to their information using a biometric national identifier when applying for a loan or opening a bank account, giving the lender electronic access to documents needed to consider their credit application. Access can be authorized at a granular level — permitting a lender to see certain documents in the locker, including bank statements and utility bills, but not others, such as medical records, which should only be seen by health professionals.

Financial institutions and other firms could report transaction information not to credit bureaus but to individuals’ digital lockers. These documents can be digitally signed by the reporting firm to ensure their legitimacy. This approach would address many of the concerns highlighted by the Equifax breach. First, while digilocker security can never be guaranteed, security practices are followed, such as encrypting transmissions to the locker and meeting international data center security practices. Second, instead of having to freeze access to their credit history, consumers’ information would be released only with their express consent. Third, it would give consumers the opportunity to review their credit history any time they wanted at no cost, and dispute it with furnishers so a more accurate, timely set of information would be available in their digilocker when they decide to apply for credit.

Now is a good time to start using network technology and digital lockers to better protect consumers’ privacy.

 

Comments

Submitted by Christelle Sche... on
Thanks for the article. Digital lockers seems to be a very efficient solution. But could you clarify at which step and frequency the client would have to decide on the type of granularity of locking and unlocking the information he could do and weather it would be easy for him to do it properly. Would client always have a good understanding of what information they should unlock and what they shouldn't and would some firms still not try to pressure clients to give some confidential information in order to access their services ? so that there are quite a number of questions regarding the education of client and their rights on data privacy that need to ne addressed.

Submitted by Sanjay Jain on
The key idea in the consent layer of the india stack (now referred to as the data empowerment and protection architecture) is that to empower people based on their data, you have to invert the ownership of the data - it belongs to the individual, and they must have control over it, even though it is in the custody of the service provider. There are many other learnings from the equifax case: the use of an identifier without authentication is fraught with danger, you need controls inside your organization, thus limiting exposure, as well as effectively creating multiple layers of security (and not just a single outer layer).

Submitted by Michael Joyce on
Digital lockers sound like a great idea. The business model of credit reporting firms is about releasing information, the business mode of a locker is about protecting it. Given the customers of credit firms are banks, not consumers, it is no wonder they prioritise the ability to access and release information over its protection

Add new comment