WASHINGTON, DC - The Subcommittee on Oversight and Investigations held a hearing today exploring consumer identity verification practices after a series of massive data breaches compromised the personal information of hundreds of millions of Americans.
#SubOversight Vice Chairman Morgan Griffith (R-VA) began today’s hearing with a discussion on the challenges facing consumers in our new, post-breach world, “Data breaches have been an increasing problem over the last several years. In fact, it is likely that everyone in this room has had their information included in a recent breach. Between the 57 million accounts compromised in Uber’s recently disclosed 2016 breach, the 145 million accounts compromised in Equifax’s breach, or the 22 million accounts compromised in the OPM breach, as well as many others, I would argue that it would be difficult to find an American whose information has not been compromised. While these breaches themselves are troubling enough, they also raise a subtle, more complicated series of questions and issues around the ways in which organizations, including government agencies, banks, healthcare organizations, and retail companies perform identity verification of their citizens and customers."
In his opening remarks, Energy and Commerce Committee Chairman Greg Walden (R-OR) highlighted the need to reexamine how we authenticate a consumer’s identity online, “For years, we have relied on user names, passwords and knowledge-based questions to confirm a user’s identity. It’s not a particularly sophisticated process - your mother’s maiden name, or the make and model of your first car aren’t exactly reliable forms of verification. Regardless, this process was suitable for a period of time in the evolution of our connected world - but that time has long-since passed. … What has changed to make existing identity management practices so ineffectual and vulnerable to attack? There are a number of factors at play but the underlying answer is fairly simple - today, the information necessary to compromise identity is readily available to those who wish to find it."
Mr. Troy Hunt, Information Security Author and Instructor, Pluralsight, shed light in his testimony on the danger of malicious actors packaging stolen data from multiple breaches into one identity profile, “Data aggregation - whether it be from [Open Source Intelligence] sources alone or combined with data breaches - is enormously powerful as it can result in a very comprehensive personal profile being built. One system may leak an email address and a name in the user interface, another has a data breach and exposes their home address then that’s combined with an OSINT source that lists their profile photo and date of birth. Suddenly, many of the ingredients required to identify and indeed impersonate the individual are now readily available."
Mr. Jeremy A. Grant, Managing Director, Technology Business Strategy, Venable, LLP, shared insight on the need for government and industry to adapt in order to protect and verify consumers’ identities, “A key takeaway for this Committee to understand today is that attackers have caught up with many of the “first-generation tools" we have used to protect and verify identity. The recent Equifax breach may have driven this point home, but the reality is that these tools have been vulnerable for quite some time. There are many reasons for this - and certainly blame to allocate - but the most important question is: “What should government and industry do about it now?" I believe we are at a juncture where the government will need to step up and play a bigger role to help address critical vulnerabilities in our “digital identity fabric."
A background memo, witness testimony, and an archived webcast of the hearing can be found online here.
