How Blockchain Could Change The Management of Identities and Passwords and Prevent Occupational Fraud. Description of the Problem.
On September 7, 2017, Equifax, one of the three major credit reporting agencies in the United States, has announced that hackers breached its computer systems and gained access to about 145 million identities of the United States residents, over 40 million of identities of British residents and thousands of Canadians.
The attack has started in the beginning of May of 2017, yet has only been noticed on July 29, which means that the company kept its customers in the dark about the breach for over a month.
Hackers gained access to full names, social security numbers, birth dates, addresses, and for some records even driver license numbers. In February of 2018, the company has announced that the number of breached identities was actually larger than originally reported by over two million, which means that the total number of the consumers impacted by the breach in the United States has been 147.9 million people.
A probe of the company by Senator Elizabeth Warren has found that Equifax did not keep its computer systems protected and failed to inform the public about the full extent of the problem. Despite all these issues, in 2018 all the members of the company’s board of directors have been reelected to stay in their positions.
When most people hear about breaches such as the Equifax breach, they immediately start thinking about hackers doing something with the information that the hackers have accessed. This is actually not the biggest problem because if someone were to use your information improperly, you would be able to find out about it and fix it. A much bigger problem, which does happen to many companies, is when hackers access the information, infiltrate the systems, and then start changing or editing the information first, before they misuse it.
When somebody misuses information about you, you have to deal with the misuse. If they change the information first, you would have to prove that the change happened, and this is much harder, especially when there is no immutable record with the information.
Companies such as Equifax store the information on centralized servers, which means that once hackers gain access to it and change it, there could be no way to backtrack the changes and bring the information back to its original state.
Another problem related to these issues is occupational fraud, not just misuse of identities. Occupational fraud is when a person is using business information and assets for personal gain. Categories of occupational fraud include fraud disbursements, theft or editing of receipts and statements, skimming, edited revenues, check fraud, fake refunds, false voids and so on. In the Equifax breach, three company executives have sold stock on August 2, 2017. This date falls in the time period between the company learning about the breach and the company informing the public about the breach, after which Equifax stock has plunged. The trades that happened have not been pre-schedules and involved Equifax Chief Financial Officer, the president of US Information Solutions and President of Workforce Solutions. Because of this sale, the Department of Justice has opened a criminal investigation into the actions of the executives (source: https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe).
On a larger scale, according to the reports by the Association of Certified Fraud Examiners, occupational fraud costs businesses around 5% of their gross revenues. In hard numbers, this figure equals to about $3.7 trillion dollars annually. The median loss due to occupational fraud is $145,000 per year and 22% of cases involve losses of more than $1 million per year.
Just like with cybersecurity, it is the smaller companies that suffer the greatest and incur a disproportionate percentage of losses. If this seems strange to you, you need to remember that with big companies the risks of getting caught are larger than in smaller companies, be it cyberattacks or occupational fraud. With a small company, the rewards may not be as big as they would be with a large company, but the risks of getting caught may also be much smaller. If a company is run by one business owner who is busy with operations, marketing, training and supervision of employees, than the owner may not even notice that something has happened. This is one of the reasons why check tampering, according to the Association of Certified Fraud Examiners, happens in 22% of small businesses, yet only in 7% of large companies. The industries that are most likely to suffer from fraud are banking and financial services, and the government. Real estate, mining and gas industries had the largest median losses (source: https://www.complianceweek.com/blogs/the-filing-cabinet/report-fraud-loss-at-37-trillion-globally#.Wu7ilqQvzal).