TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

Lessons from the Equifax Data Breach

The recent data breaches should serve as a catalyst to more seriously consider what data we collect and store in our data warehouses.

• By Mike Schiff
• November 13, 2017

By now we have all heard about the massive data breach of Equifax's credit reporting database that potentially exposed sensitive consumer data such as the Social Security numbers, birthdates, addresses, driver's license numbers, and other supposedly private information of over 143 million people. Additionally, over 200,000 credit card numbers were compromised.

Effects of a Consumer Data Breach

For Further Reading: The Great Yahoo Data Breach: 6 Steps to Reducing Risk Top 5 Cloud Security Threats You Need to Understand Enterprises Facing New, Stringent Privacy Regulations

From the consumers' perspective, this obviously now makes them more vulnerable to identity theft; from Equifax's perspective, it severely damages its reputation and exposes the company to a wide variety of civil and perhaps criminal charges including insider trading (three Equifax executives allegedly sold stock approximately one month prior to the breach being made public on September 7).

As data warehouse practitioners, we recognize that our data warehouses contain sensitive and proprietary organizational, sales, and product data that must be protected lest competitors gain access and use it for competitive advantage. Furthermore, as most organizations also store and analyze customer and prospect data, we need to ensure that this data is protected as well.

In fact, as companies including Equifax, Anthem, Target, and Home Depot have found, compromising customer data (e.g., credit cards, email addresses, etc.) can have negative consequences that can overshadow the compromise of other data, due to the loss of consumer confidence and long-term damage to the organization's reputation. For example, although Target cashiers will likely ask me if I wish to sign up for a Target credit card during the checkout process, my gut (albeit unspoken) reaction is still, "You must be kidding!"

The fallout from the Equifax data breach will likely lead to enhanced organizational procedures reinforcing data protection and to further governmental compliance regulations such as those affecting victim notification, follow-on identify theft monitoring, privacy, and investor disclosure. It should also push us to consider the potential liability our organizations would have if the data in our warehouses were compromised.

Think Before You Collect More Data

Our users, and in many cases, we ourselves, have come to believe that because the cost of storage continues to decrease while compute power continues to increase, we should collect and store more data on the chance that it could be useful for future, but currently unforeseen, analytics needs.

Instead, we should encourage our organizations to perform a cost/benefit analysis when evaluating additional data collection requests that includes the consequences of what would occur if the data were compromised or stolen as well as the cost of gathering, cleaning, integrating, and storing the data.

On a somewhat related topic, I am aware of several organizations that discourage collecting and retaining some historical data because they fear it might come back to haunt them if they were asked to provide it during a lawsuit's discovery process.

In summary, the recent data breaches should serve as a catalyst to more seriously consider what data we collect and store in our data warehouses. "It might be useful for later analysis" should not be a sufficient response, especially if a data breach would lead to adverse economic or reputational consequences. Your cost/benefit analyses should include the impact of having this data compromised and the marginal cost of taking steps to protect it.