12 Sep 2017 20:46 IST

The Equifax breach is a warning to UIDAI

India must seek insights from FBI on what went wrong so it can secure its database better

The unthinkable happened last week: in the US, sensitive identity data of 143 million consumers was reported stolen by hackers at Equifax, one of the world’s largest credit bureaus.

Equifax, along with Transunion and Experian, maintains credit histories of consumers and their transactions. These credit bureaus touch every American, although most Americans don’t even know they exist. In theory, what they do is remarkably efficient and serves the public good because America is a land dependent upon credit.

Right from the days of the ancient Romans, taking a loan and paying it back is nothing new to human nature. An essential part of a loan transaction is creditworthiness: the lender’s knowledge that the borrower will repay the loan with interest. Even in a person-to-person hand loan, we tend to give money only to those whom we trust will be as good as their word.

Determining creditworthiness

In India, banks, which have been traditional lenders for decades, determine credit-worthiness through various means. Before issuing a credit card, they demand salary information or information about deposits held to get a feel that the borrower generally has the means to pay. For bigger amounts, such as a student loan, they require multiple levels of signatories including the submission of collateral assets to secure a loan.

But Indian banks generally do not have insights into the behaviour of the borrowers — whether or not they intend to pay back their loans even though they have the means. Willingness to repay is just as important as an ability to repay. Indians understand this well after the debacle with liquor baron Vijay Mallya defaulting on huge loans at various big public sector banks.

Historical knowledge about a person’s behaviour when it comes to borrowed money is therefore vital. This is the central pillar of the American credit bureau model. Simple in concept but fascinating in its reach, the three credit bureaus have sought to digitise every person’s financial transactions into a massive database to build this individual history.

The American system

Every bill received by a consumer — a rent bill, a water bill, a phone bill, a credit card bill, a home mortgage bill — is reported to the bureaus so that they log it into their databases. Every bill paid by the consumer, including information such as whether it was paid on time or late, is logged into the same databases. The bureaus therefore hoard massive amounts of information — payment history, debt burden, length of credit history, types of credit used — about every American consumer.

However, hundreds of petabytes of data simply held in this manner are meaningless until they are used in decision-making. In 1989, a financial analytics firm called Fair, Isaac, and Company introduced what it called a FICO score. The company took this historical consumer data and used complex predictive analysis based on statistical models to arrive at a single numerical score of creditworthiness.

The higher the FICO score, the more creditworthy a person is. American banks offer consumers with higher FICO scores lower interest rates and more lenient loan terms. Conversely, lower FICO scores represent a more troubled credit history. Banks demand a higher premium in interest rates to cover the risk of loss. (Indian consumers are not so lucky; everyone borrows at the same interest rate, regardless of credit history).

Protecting the data

As a practical matter, however, the hoard of consumer data in three large databases held by three different companies always presented a major risk. Hackers, if successful in breaching the security of these three institutions, could instantly obtain sensitive information about millions of consumers all at once. This is exactly what happened last week when data on 143 million consumers was compromised despite rock solid security procedures in place at Equifax.

Indians consumers are lucky because there is no single database that contains all the financial data pertaining to a person. One can’t steal something if it’s not there to begin with. But before we feel safe, we should not ignore the 800-pound gorilla in the room. The Unique Identification Authority of India (UIDAI) has systematically used the Aadhaar Act and the powers vested in it to collect biometric information about Indians.

To date, the agency has collected extremely private information about 116 crore Indian citizens. In terms of the sheer size of consumer data, UIDAI’s data warehouse ranks as one of the largest in the world. This data store is clearly the largest of its kind when it comes to data sensitivity too. It holds the most private of consumer data — things that the consumer can never change through a lifetime.

Adequate safeguards?

Even India’s Supreme Court has said it is not convinced that the UIDAI has provided adequate safeguards against data theft. Coming on the heels of its landmark decision when it said Indians have an absolute right of privacy, the Court’s concerns about data security are even more magnified.

If a venerable profit-making financial institution such as Equifax — whose entire business model depends upon collecting and protecting sensitive consumer data — is now a victim of hacker theft, what assurances can we have that UIDAI data cannot be similarly stolen?

The Indian government has to use its new leverage with the Trump administration and work jointly with the FBI there to learn what went wrong at Equifax; and it has to increase the strength of its defences at UIDAI multiple-fold, because the forensic data of consumers — God-given and permanent through a consumer’s life — is much too valuable to be compromised.