IT News & Events

News about IT at Indiana University and the world


IU cybersecurity expert Von Welch discusses data breaches in Q&A

These days, it seems like major data breaches happen on a semi-regular basis. Most recently, the credit bureau Experian was hacked, exposing the Social Security numbers, birthdates, and other methods of identification for millions of customers of the cellphone company T-Mobile, which partners with Experian. For many consumers, it can feel inevitable that their personal information will be leaked, an experience that leaves victims hopelessly frustrated.

One person who can answer some questions for consumers is Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research (CACR). CACR, established in 2003, is a national leader in cybersecurity known for its expertise in both policy and technical matters. Welch recently shed some light on the T-Mobile and Experian situation, and the current state of cybersecurity as a whole.

How should exposed consumers respond to these types of situations?

Welch: The best thing to assume in this Experian case is if you’re a T-Mobile customer, your information probably has been leaked. In this case, it was mostly identity information around credit applications. This tends to be the type of information that’s used to get loans and do other forms of identity theft. The best thing people can do to protect themselves—and this is even something the Indiana attorney general stresses very highly—is to closely monitor their credit, and even put in a credit freeze by contacting your bank or credit card company. It’s a fairly straightforward process, which then requires you to unlock your credit if someone tries to take out a loan in your name. That’s the most solid defense we have today against those thefts. It’s a little bit of an inconvenience; on the other hand, it gives you assurances that nobody’s using your identity and destroying your credit rating.

As far as students, they should be aware because they have all the same risks that anyone with even an established credit history does. It can still be abused. It doesn’t give them any security just because they don’t have the same history of credit usage as anyone else. That’s the unfortunate truth.

Should consumers consider the specific companies involved less trustworthy than others now?

Welch: Many people probably haven’t even heard of Experian. They went in and applied to T-Mobile; T-Mobile then turned around and used Experian. This is a common scenario that we see, where people’s information that they’ve given to one company has been shared with another, and buried somewhere in all the fine print, you’ve agreed to this. But it’s one of these cases that can be confusing, because people have never dealt with Experian, yet here they find themselves with Experian losing their data.

As to whether we should trust Experian more or less, that’s a tough question. In some sense, as one of the big credit-reporting companies, it’s not something we have a lot of choice in. From a practical matter, these breaches are not uncommon and we really have a big challenge with the state of our IT infrastructure and the ingenuity, frankly, of some of the criminal elements. To say we’ll completely eliminate losing identity information is not any more reasonable than saying we expects banks not to be robbed. But we need to do a better job and get information breaches down to a reasonable level. Also, the overall identity information is broken right now. We need better regulation on accepting identity information for loans and other services. Why does accepting my Social Security number give you the ability to take out a loan in my name? Why can’t somebody there be bothered to check my ID?

What’s the current climate when it comes to data breaches?

Welch: The Experian involved personal information, as opposed to something like Target, which was credit card information, or something like the Anthem breach, which was medical information. For consumers, it’s important to understand the risks involved with all three types of information.

The one thing I tell most people about is not to worry too much about credit card fraud. We’re pretty well protected by banking laws. With credit cards, our biggest hassle is we have to be issued a new card. Now, debit cards are a little bit riskier, because it’s directly debiting from your account. You’ll lose the money. You’ll probably get it back, but you’re going to have to go through more hassle to do it, and you’re going to be out of the money until you get it back.

The personal information is a little bit riskier now, because that’s the sort of information that’s involved typically with what we think of as identity theft. People applying for credit in your name, and that can get you into a place where you’re really having to clean up a lot of hassle afterward. So that’s a greater risk than credit card theft.

The medical information is interesting. It’s the newest of the three. In some ways, it violates people’s privacy more than anything else and that’s a very personal issue to many people, how they feel about their medical information being released. We also probably know the least about how that information gets used. Sometimes we think it’s being used to get medical services—prescription drugs or even just people who used certain forms of identity theft, but to get medical services—and so it’s similar to identity theft in some ways. But it’s a different sort of risk there. It’s not going through the credit bureaus or anything like that. It’s going after the medical system, and they’re a little less used to that at this point.

Do businesses suffer financially as a result of these breaches?

Welch: There’s actually a lot of debate about how these breaches affect the bottom lines of a company. Of all the data I’ve seen, it’s not conclusive yet. When Target had the big breach last year, there was a lot of discussion and data was difficult, because at the same time, they were trying to do a big push into Canada that failed. The most conclusive arguments I’ve seen on this topic show that the businesses involved take only small hits. These businesses are very large and I won’t say it’s insignificant, but they easily lose more in failed business ventures and bad product launches than they do in these credit breaches. A million dollars sounds like a lot to us, but these companies tend to do hundreds of millions and billions of dollars in business. What I worry about more than anything is small businesses that don’t make the news, where something like this happens to is really crippling.