It was a staggering one this time, targeting Equifax, one of the three largest consumer credit monitoring agencies in the US. According to reports, a full half of the US population could be affected by the hack.
Equifax said the hackers exposed data including names, birth dates, Social Security numbers, addresses and driver's license numbers, all of which Equifax is supposed to protect for its customers.
The company apparently discovered the unauthorised access on July 29th and determined that the intrusion began in mid-May.
The leak has the potential to create an identity theft nightmare for millions of Americans, with Social Security number, America’s equivalent to national ID, addresses, and driver’s license number all exposed to cybercriminals.
Chester Wisniewski, principal research scientist, Sophos, said, "The breach at Equifax is another reminder that information that isn't properly protected will be stolen. Whether it is in the cloud, on a thumb drive or on a mobile device, unprotected data is valuable to criminals.”
“What's worse is that the bulk of the information, such as social security numbers, birthdays, addresses and other personal details, is far more valuable than the stolen credit card information. Your identity can't be changed or replaced like a credit card,” Wisniewski adds.
The motivation for the hackers is not known at the moment, but the potential for criminal activity with this kind of data is varied.
Regardless of the motivations of the attackers, this data is perfect for social engineering attacks, says Rick Holland, VP, strategy at Digital Shadows. These range from tax return fraud where fraudsters use Social Security numbers (SSNs) to file a tax return claiming a fraudulent refund, to opening fraudulent credit card accounts.
“Fraudsters can successful open accounts in another individual's name, using a combination of SSNs, fraudulent gas statements and other personally identifiable information (PII). Individuals should be extra vigilant for any evidence of accounts being opened in their name,” says Holland.
Most likely, the individuals responsible for the breach are not the same criminals conducting the day-to-day fraud. Instead, they will resell the information on the dark web, for cents per unit, Holland explains.
Keiron Shepherd, senior security specialist, F5 Networks, says attacks such as these can be particularly destructive, because everyone in the sector uses the same data. “This is likely to give rise to phishing attempts from email addresses accessed as part of the breach, as hackers prey on consumers – either those unaware that their data has been compromised or those that use the same passwords across multiple online accounts,” Shepherd says.
With the news that personal data has also been exposed, consumers are also at risk of this data being used for fraudulent purposes. “Extra caution is urged in the weeks and even months ahead as attempts to scam vulnerable individuals are likely to be launched. It is another reminder for all firms holding sensitive personal data to review their security policies,” Shepherd warns.
General Data Protection Regulation, expected to come into effect after May 25, 2018, will add a new dynamic to how organisations respond to breaches. In this particular case, Equifax discovered the intrusion on July 29th and notified the public on September 7th, more than a month later.
GDPR will change the breach notification game, Holland observes. If this situation played out after May 25, 2018 and Equifax lost European Union citizen’s data, GDPR rules say notification must be done within 72 hours of first having become aware of the breach. “When the fines do come into place, the timing of the communication will have a significant impact,” says Holland.